My 2 cents: I think that it would be a very strange change to make to a generic product and a "sample" configuration file. If Tomcat was packaged in a distribution, that might be a more reasonable suggestion. I don't think Tomcat is insecure because of this; binding to addresses/ports is a key part of configuration of any deployed system and the responsibility of the person(s) deploying it to ensure correct basic configuration (which this is part of).
Also, if an attacker manages to add additional IP addresses to your machine, and your already running processes start taking requests from them, I think you have much bigger worries than Tomcat happening to take requests from multiple addresses at that point as the attacker already pretty much has full control over your machine and can likely edit your configuration file anyway.... This CWE is really about a deployed system -- not a library or tool... Just a thought or two... (Disclaimer: I have no current involvement in the project's development/maintenance) On Wed, Nov 23, 2022 at 2:35 PM <tommydu1...@outlook.com> wrote: > Hi there, > > The default behaviour of http connector is listenning all interfaces. It > is found in the description of "address" in attributes section. ( > https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support) > > In terms of security default, it could be not best practice. In case of > unexpected mistakes made by people, default behaviour of exposing the > server to every possible network may pose a potential threat on security. > > CWE-1327: Binding to an Unrestricted IP Address: > https://cwe.mitre.org/data/definitions/1327.html > > The issue should be a security enhancement. I recommend changing default > behaviour to a single interface/network, e.g loopback interface 127.0.0.1 > and adding configuration option with default value OFF for 0.0.0.0 or : :. > > If there have been any previous discusstion about this, could you please > tell me? > > Hope that I make it clear. > >
