Thank you, Chris, for inputs.
I have created a BZ ticket: https://bz.apache.org/bugzilla/show_bug.cgi?id=67065
Thanks,
Amit
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, August 14, 2023 10:47 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: [External] Re: listening all local addresses by default is not
security best practice
CAUTION: This email originated from outside the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe. If you believe this is a phishing email, use the Report to
Cybersecurity icon in Outlook.
On 8/6/23 13:25, Amit Pande wrote:
> My apologies if I missed any conclusion here.
>
> From the description of address attribute on HTTP connector:
>
> "For servers with more than one IP address, this attribute specifies which
> address will be used for listening on the specified port. By default, the
> connector will listen all local addresses. Unless the JVM is configured
> otherwise using system properties, the Java based connectors (NIO, NIO2) will
> listen on both IPv4 and IPv6 addresses when configured with either 0.0.0.0 or
> ::. The APR/native connector will only listen on IPv4 addresses if configured
> with 0.0.0.0 and will listen on IPv6 addresses (and optionally IPv4 addresses
> depending on the setting of ipv6v6only) if configured with ::."
>
>
> Is it possible to update the behavior to listen to loopback address only like
> was done for AJP connectors.
>
> On my Tomcat 9.0.78 netstat output - I see Tomcat using 0.0.0.0 by default
> unless we define address as "127.0.0.1" :
>
> tcp 0 0 0.0.0.0:39054 0.0.0.0:* LISTEN
> 28539/java
Given the documentation quoted above, I would expect that Tomcat would bind to
::1 unless otherwise specified ("all LOCAL addresses", emphasis mine). The
behavior you demonstrate above, and the code agree that Tomcat will listen on
all PUBLIC interfaces, not local ones, by default.
I believe the documentation should be changed to reflect reality, because
changing this default could break a lot of installations.
Changing the default AJP binding to localhost made sense because a
publicly-exposed AJP connector is very insecure, while having HTTP(S) exposed
publicly should not present much risk at all.
> Also, is it right that we will need to have two connectors for IPv4 and IPv6
> with address "127.0.0.1" and "::1" respectively to enable binding only on
> loopback addresses?
>
> If we configure two connectors (IPv4 and IPv6 loopback), if one isn't
> available, we see:
>
>
> org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1040)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> Caused by: java.net.SocketException: Protocol family unavailable
> at sun.nio.ch.Net.bind0(Native Method)
>
> which has caused confusion/concerns.
>
> What would be a better way to bind on "all available loopback addresses?
That *would* be handy if ::1 would bind to "all local [IPv4 and IPv6, as
appropriate] addresses" just like APR does. Can you please file a BZ ticket for
that? I'm surprised it doesn't already work like that, honestly, because it
seems completely obvious to me that's how it /should/ work.
-chris
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Monday, November 28, 2022 5:21 PM
> To: users@tomcat.apache.org
> Subject: [External] Re: listening all local addresses by default is
> not security best practice
>
> To whom it may concern,
>
> On 11/23/22 14:31, tommydu1...@outlook.com wrote:
>> Hi there,
>>
>> Product:<https://nam12.safelinks.protection.outlook.com/?url=https%3A
>> %
>> 2F%2Fbz.apache.org%2Fbugzilla%2Fdescribecomponents.cgi&data=05%7C
>> 0
>> 1%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8
>> e
>> 13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7
>> C
>> TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
>> C
>> I6Mn0%3D%7C3000%7C%7C%7C&sdata=o%2FwWU7LgTdFLS3L5njjEruLLho9JnSw2
>> O
>> LV0%2BO%2BnR5c%3D&reserved=0>
> >
> > [snip]
>> The default behaviour of http connector is listenning all interfaces.
>
> False.
>
>> It is found in the description of "address" in attributes section.
>> (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fto
>> m%2F&data=05%7C01%7CAmit.Pande%40veritas.com%7C4e4302280bff44b9675908
>> db9cddbbbc%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C6382762483791
>> 42648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YG8QbOpd118rS4Nso7r
>> 1m%2BXiA2wa8ZqjfkrZIXD9x88%3D&reserved=0
>> cat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html%23SSL_Support&am
>> p
>> ;data=05%7C01%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad1
>> 9
>> 78243%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347
>> %
>> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
>> k
>> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p3R8MryiKpauAppYJLbrGL
>> P
>> FzIUJpONDxvQj%2BlYepnI%3D&reserved=0)
> It's listed in another section, and does not say all interfaces.
>
>> In terms of security default, it could be not best practice. In case of
>> unexpected mistakes made by people, default behaviour of exposing the server
>> to every possible network may pose a potential threat on security.
>
> Good thing Tomcat does not default to that configuration.
>
>> CWE-1327: Binding to an Unrestricted IP Address:
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwe%2F&data=05%7C01%7CAmit.Pande%40veritas.com%7C4e4302280bff44b9675908db9cddbbbc%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638276248379142648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7FogbHCUCEKXP5KXfM2y29IBS7rGtCUmSpgFbAqR5xY%3D&reserved=0.
>> mitre.org%2Fdata%2Fdefinitions%2F1327.html&data=05%7C01%7CAmit.Pa
>> n
>> de%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8e13c0422c4c5
>> 5
>> b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7CTWFpbGZsb3d
>> 8
>> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
>> 3
>> 000%7C%7C%7C&sdata=pZzdfOpc0Cw5kVThNxWZLBZIoW4xXQSoSldTtMn6OEM%3D
>> &
>> amp;reserved=0
>>
>> The issue should be a security enhancement. I recommend changing default
>> behaviour to a single interface/network, e.g loopback interface 127.0.0.1
>> and adding configuration option with default value OFF for 0.0.0.0 or : :.
>
> Sounds great. So what exactly needs to be changed? You want us to pick only
> IPv4 or IPv6?
>
> If not, what you describe is exactly the default configuration that you will
> get.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
