Thank you, Chris, for inputs. I have created a BZ ticket: https://bz.apache.org/bugzilla/show_bug.cgi?id=67065
Thanks, Amit -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Monday, August 14, 2023 10:47 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: [External] Re: listening all local addresses by default is not security best practice CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook. On 8/6/23 13:25, Amit Pande wrote: > My apologies if I missed any conclusion here. > > From the description of address attribute on HTTP connector: > > "For servers with more than one IP address, this attribute specifies which > address will be used for listening on the specified port. By default, the > connector will listen all local addresses. Unless the JVM is configured > otherwise using system properties, the Java based connectors (NIO, NIO2) will > listen on both IPv4 and IPv6 addresses when configured with either 0.0.0.0 or > ::. The APR/native connector will only listen on IPv4 addresses if configured > with 0.0.0.0 and will listen on IPv6 addresses (and optionally IPv4 addresses > depending on the setting of ipv6v6only) if configured with ::." > > > Is it possible to update the behavior to listen to loopback address only like > was done for AJP connectors. > > On my Tomcat 9.0.78 netstat output - I see Tomcat using 0.0.0.0 by default > unless we define address as "127.0.0.1" : > > tcp 0 0 0.0.0.0:39054 0.0.0.0:* LISTEN > 28539/java Given the documentation quoted above, I would expect that Tomcat would bind to ::1 unless otherwise specified ("all LOCAL addresses", emphasis mine). The behavior you demonstrate above, and the code agree that Tomcat will listen on all PUBLIC interfaces, not local ones, by default. I believe the documentation should be changed to reflect reality, because changing this default could break a lot of installations. Changing the default AJP binding to localhost made sense because a publicly-exposed AJP connector is very insecure, while having HTTP(S) exposed publicly should not present much risk at all. > Also, is it right that we will need to have two connectors for IPv4 and IPv6 > with address "127.0.0.1" and "::1" respectively to enable binding only on > loopback addresses? > > If we configure two connectors (IPv4 and IPv6 loopback), if one isn't > available, we see: > > > org.apache.catalina.LifecycleException: Protocol handler > initialization failed > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1011) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1040) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.startup.Catalina.load(Catalina.java:724) > at > org.apache.catalina.startup.Catalina.load(Catalina.java:746) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477) > Caused by: java.net.SocketException: Protocol family unavailable > at sun.nio.ch.Net.bind0(Native Method) > > which has caused confusion/concerns. > > What would be a better way to bind on "all available loopback addresses? That *would* be handy if ::1 would bind to "all local [IPv4 and IPv6, as appropriate] addresses" just like APR does. Can you please file a BZ ticket for that? I'm surprised it doesn't already work like that, honestly, because it seems completely obvious to me that's how it /should/ work. -chris > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Monday, November 28, 2022 5:21 PM > To: users@tomcat.apache.org > Subject: [External] Re: listening all local addresses by default is > not security best practice > > To whom it may concern, > > On 11/23/22 14:31, tommydu1...@outlook.com wrote: >> Hi there, >> >> Product:<https://nam12.safelinks.protection.outlook.com/?url=https%3A >> % >> 2F%2Fbz.apache.org%2Fbugzilla%2Fdescribecomponents.cgi&data=05%7C >> 0 >> 1%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8 >> e >> 13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7 >> C >> TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV >> C >> I6Mn0%3D%7C3000%7C%7C%7C&sdata=o%2FwWU7LgTdFLS3L5njjEruLLho9JnSw2 >> O >> LV0%2BO%2BnR5c%3D&reserved=0> > > > > [snip] >> The default behaviour of http connector is listenning all interfaces. > > False. > >> It is found in the description of "address" in attributes section. >> (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fto >> m%2F&data=05%7C01%7CAmit.Pande%40veritas.com%7C4e4302280bff44b9675908 >> db9cddbbbc%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C6382762483791 >> 42648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ >> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YG8QbOpd118rS4Nso7r >> 1m%2BXiA2wa8ZqjfkrZIXD9x88%3D&reserved=0 >> cat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html%23SSL_Support&am >> p >> ;data=05%7C01%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad1 >> 9 >> 78243%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638052745907718347 >> % >> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I >> k >> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p3R8MryiKpauAppYJLbrGL >> P >> FzIUJpONDxvQj%2BlYepnI%3D&reserved=0) > It's listed in another section, and does not say all interfaces. > >> In terms of security default, it could be not best practice. In case of >> unexpected mistakes made by people, default behaviour of exposing the server >> to every possible network may pose a potential threat on security. > > Good thing Tomcat does not default to that configuration. > >> CWE-1327: Binding to an Unrestricted IP Address: >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwe%2F&data=05%7C01%7CAmit.Pande%40veritas.com%7C4e4302280bff44b9675908db9cddbbbc%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638276248379142648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7FogbHCUCEKXP5KXfM2y29IBS7rGtCUmSpgFbAqR5xY%3D&reserved=0. >> mitre.org%2Fdata%2Fdefinitions%2F1327.html&data=05%7C01%7CAmit.Pa >> n >> de%40veritas.com%7C13ea9fddeb604e4b7dca08dad1978243%7Cfc8e13c0422c4c5 >> 5 >> b3eaca318e6cac32%7C0%7C0%7C638052745907718347%7CUnknown%7CTWFpbGZsb3d >> 8 >> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C >> 3 >> 000%7C%7C%7C&sdata=pZzdfOpc0Cw5kVThNxWZLBZIoW4xXQSoSldTtMn6OEM%3D >> & >> amp;reserved=0 >> >> The issue should be a security enhancement. I recommend changing default >> behaviour to a single interface/network, e.g loopback interface 127.0.0.1 >> and adding configuration option with default value OFF for 0.0.0.0 or : :. > > Sounds great. So what exactly needs to be changed? You want us to pick only > IPv4 or IPv6? > > If not, what you describe is exactly the default configuration that you will > get. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org