https://bz.apache.org/bugzilla/show_bug.cgi?id=66362
Bug ID: 66362
Summary: listening all local addresses by default is not
compliant with security default
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: tommydu1...@outlook.com
Target Milestone: -----
Hi there,
The default behaviour of http connector is listenning all interfaces. It is
found in the description of "address" in attributes section.
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)
In terms of security default, it could be not best practice. In case of
unexpected mistakes made by people, default behaviour of exposing the server to
every possible network may pose a potential threat on security. (CWE-1327:
Binding to an Unrestricted IP Address:
https://cwe.mitre.org/data/definitions/1327.html)
The issue should be a security enhancement. I recommend changing default
behaviour to a single interface/network, e.g loopback interface 127.0.0.1 and
adding configuration option with default value OFF for 0.0.0.0 or : :.
If there have been any previous discusstion about this, could you please tell
me more?
Hope that I make it clear.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
