openjdk team mailing list archive

[Laurent Bigonville <bigon@xxxxxxxxxx>]

Package: openjdk-11-jdk
Version: 11.0.5+10-2
Severity: important
File: /usr/lib/jvm/java-11-openjdk-amd64/bin/jconsole
Tags: security

Hi,

Except if I'm severly mistaken, it seems that jconsole does not verify the
domain name nor check whether the CA is trusted when connecting to a JVM
that has SSL enabled for JMX.

This can lead to MITM and stealing of the credentials used to connect to
JMX.

Kind regards,

Laurent Bigonville

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.3.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

Versions of packages openjdk-11-jdk:amd64 depends on:
ii  libc6                    2.29-3
ii  openjdk-11-jdk-headless  11.0.5+10-2
ii  openjdk-11-jre           11.0.5+10-2

Versions of packages openjdk-11-jdk:amd64 recommends:
ii  libxt-dev  1:1.1.5-1+b3

Versions of packages openjdk-11-jdk:amd64 suggests:
pn  openjdk-11-demo    <none>
pn  openjdk-11-source  <none>
pn  visualvm           <none>

-- no debconf information