Package: openjdk-11-jdk Version: 11.0.5+10-2 Severity: important File: /usr/lib/jvm/java-11-openjdk-amd64/bin/jconsole Tags: security
Hi, Except if I'm severly mistaken, it seems that jconsole does not verify the domain name nor check whether the CA is trusted when connecting to a JVM that has SSL enabled for JMX. This can lead to MITM and stealing of the credentials used to connect to JMX. Kind regards, Laurent Bigonville -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.3.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy Versions of packages openjdk-11-jdk:amd64 depends on: ii libc6 2.29-3 ii openjdk-11-jdk-headless 11.0.5+10-2 ii openjdk-11-jre 11.0.5+10-2 Versions of packages openjdk-11-jdk:amd64 recommends: ii libxt-dev 1:1.1.5-1+b3 Versions of packages openjdk-11-jdk:amd64 suggests: pn openjdk-11-demo <none> pn openjdk-11-source <none> pn visualvm <none> -- no debconf information _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
