Java Debug Wire Protocol Remote Code Execution Vulnerability - joss

Question

Our security team found below issue with JDWP in jboss. How can I fix this ?

-Djavax.net.ssl.trustStorePassword=changeit -Dhttps.protocols=TLSv1 -Xdebug -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dorg.jboss.boot.log.file=/

Title: Java Debug Wire Protocol Remote Code Execution Vulnerability

Severity: Critical

Description

Affected Hosts

IP address:tcp/8787

The remote server is running Java Debug Wire Protocol service. No authentication is required if the service is enabled.

The vulnerabilities can be exploited by malicious users to execute arbitrary code.

Remediation

Disable the service

Proof of Concept

Java Debug Wire Protocol Remote Code Execution Vulnerability detected on port 8787 over TCP.

Thanks, Vishnu

Did you get any solution? I also need to fix this Vulnerability — Ashok, Apr 10 '18 at 04:53

score 1 · Answer 1 · answered Nov 28 '19 at 20:55

You just need to disable the remote debugging. Change your command options to:

-Djavax.net.ssl.trustStorePassword=changeit -Dhttps.protocols=TLSv1 -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dorg.jboss.boot.log.file=/

score 1 · Answer 2 · answered Sep 10 '20 at 04:30

You have: address=8787 (in my case, I had address=*:5005) which means your machine will accept connections from any host (source). This allows an attacker to execute arbitrary code on the machine running this (yet another source).
In my case disabling remote debug wasn't an option, so instead I specified which hosts can have access, which was the localhost, i.e., address=localhost:5005. This allows only the localhost to connect and no one else.