dill21yu opened a new issue, #17737: URL: https://github.com/apache/dolphinscheduler/issues/17737
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar feature requirement. ### Description Part of #15940 **Vulnerability name**: JDWP unauthorized access (configuration/runtime risk) **Category**: Unauthorized access / runtime configuration Affected components/modules (please fill): - Check Dockerfiles, container entrypoints, Kubernetes manifests/Helm charts, systemd unit files and CI/CD pipeline scripts in directories such as `docker/`, `deploy/`, `helm/`, etc. ## Description JDWP (Java Debug Wire Protocol) is used for remote debugging of JVM applications. If JDWP is enabled and listening on a network interface exposed to untrusted networks (for example via JVM args like `-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005`), attackers can connect to the JVM debug port and perform actions including reading/modifying memory, executing code, or hijacking the process. This is a configuration vulnerability rather than a code CVE. ## Recommended fix - Remove JDWP / remote debug JVM arguments from production images and deployment start commands. - If remote debugging is required for narrow cases, bind the debug listener to `localhost` (127.0.0.1) and restrict access to trusted networks only. - Add CI checks that scan built images and deployment artifacts for presence of JDWP-related JVM options (`jdwp`, `agentlib`, `transport=dt_socket`, etc.). - Update deployment documentation and runbooks to warn against enabling JDWP in production. ## References - Parent tracking issue: #15940 ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
