[Bug 55931] New: Security: Tomcat7 opens 2 additional random ports that listen for all IPs when JMX is enabled

Wed, 25 Dec 2013 02:12:17 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=55931

            Bug ID: 55931
           Summary: Security: Tomcat7 opens 2 additional random ports that
                    listen for all IPs when JMX is enabled
           Product: Tomcat 7
           Version: 7.0.47
          Hardware: Other
                OS: other
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]

I run 7.0.47 using Java 1.7.0_45-b18 on Centos6.
I enabled JMX using the following options:

CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=9123
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.local.only=true"

Unfortunately, when I check what ports are opened I discover 2 additional
random ports:

netstat -plunt | grep java
Proto Recv-Q Send-Q Local Address               Foreign Address            
State       PID/Program name
tcp        0      0 :::60555                            :::*               
LISTEN      22752/java
tcp        0      0 ::ffff:127.0.0.1:8080               :::*               
LISTEN      22752/java
tcp        0      0 :::9123                             :::*               
LISTEN      22752/java
tcp        0      0 :::40867                            :::*               
LISTEN      22752/java


Please note that each restart only configured ports 8080 and 9123 remains same,
and two additional ports change values.
It is security problem, since Tomcat listen for all IPs.

Why JMX in Tomcat opens 2 additional ports?
How can I configure these ports?
How can I configure `::ffff:127.0.0.1` will appear before all ports opened by
JMX?

I have configured JmxRemoteLifecycleListener
http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html#JMX_Remote_Lifecycle_Listener_-_org.apache.catalina.mbeans.JmxRemoteLifecycleListener
Using the following configuration:

<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
rmiRegistryPortPlatform="9123" rmiServerPortPlatform="10002"
rmiBindAddress="localhost"/>

In this case only one random port (60714 in the list below) appears: 

tcp 0 0 ::ffff:127.0.0.1:8080 :::* 
tcp 0 0 ::ffff:127.0.0.1:10002 :::* 
tcp 0 0 ::ffff:127.0.0.1:9123 :::* 
tcp 0 0 :::60714 :::*

Why JMX in Tomcat opens 1 additional port?
How can I configure the port?
How can I configure `::ffff:127.0.0.1` will appear before all ports opened by
JMX?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to