Java Debugging might allow remote connection to Matterhorn
18 views
Skip to first unread message
Lars Kiesow
Jul 25, 2014, 11:19:53 AM7/25/14
to security...@opencast.org
Hello,
This is the official security notice regarding a minor security issue
recently discovered in Opencast Matterhorn.
Description:
This issue might allow attackers to remotely connect to a Matterhorn
instance which have Java remote debugging enabled.
Affects:
This issue will only affect you if you are using the Matterhorn start
script intended for development use (bin/start_matterhorn.sh).
Systems using the SysV-Init scripts, the Systemd scripts or the new
start script are NOT affected.
Details:
The script bin/start_matterhorn.sh contains default settings which
allows anyone to attach a remote debugger to Matterhorn:
34) DEBUG_PORT="8000"
35) DEBUG_SUSPEND="n"
36) DEBUG_OPTS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,
address=$DEBUG_PORT,server=y,suspend=$DEBUG_SUSPEND"
99) java $DEBUG_OPTS [...]
The old SysV-Init script had these lines commented out and the new
one won't include them unless you activate the scripts debug mode.
Patching the system:
Unless you need the remote debugging, comment out the debugging
options in the mentioned start script (lines 34-36.
On production systems, better yet switch to the SysV-Init or
Systemd scripts as they are meant for production systems and the
bin/start_matterhorn.sh is not.
If you need remote debugging, please make sure you configured your
firewall appropriately, restricting access to those machines which
should have access.
Credits:
The vulnerability was discovered by James Perrin from the University
of Manchester
This is the official security notice regarding a minor security issue
recently discovered in Opencast Matterhorn.
Description:
This issue might allow attackers to remotely connect to a Matterhorn
instance which have Java remote debugging enabled.
Affects:
This issue will only affect you if you are using the Matterhorn start
script intended for development use (bin/start_matterhorn.sh).
Systems using the SysV-Init scripts, the Systemd scripts or the new
start script are NOT affected.
Details:
The script bin/start_matterhorn.sh contains default settings which
allows anyone to attach a remote debugger to Matterhorn:
34) DEBUG_PORT="8000"
35) DEBUG_SUSPEND="n"
36) DEBUG_OPTS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,
address=$DEBUG_PORT,server=y,suspend=$DEBUG_SUSPEND"
99) java $DEBUG_OPTS [...]
The old SysV-Init script had these lines commented out and the new
one won't include them unless you activate the scripts debug mode.
Patching the system:
Unless you need the remote debugging, comment out the debugging
options in the mentioned start script (lines 34-36.
On production systems, better yet switch to the SysV-Init or
Systemd scripts as they are meant for production systems and the
bin/start_matterhorn.sh is not.
If you need remote debugging, please make sure you configured your
firewall appropriately, restricting access to those machines which
should have access.
Credits:
The vulnerability was discovered by James Perrin from the University
of Manchester
Reply all
Reply to author
Forward
0 new messages