Java Debug Wire Protocol remote code execution

Description

The Java Debug Wire Protocol (JDWP) is a communication protocol that enables debuggers to connect to and control Java Virtual Machines (JVMs). When JDWP is enabled and exposed on a network interface, it operates without any authentication mechanism, allowing any client to connect and issue debugging commands. This configuration is intended only for development environments but is sometimes inadvertently left enabled in production systems, creating a critical security vulnerability that allows unauthorized remote access to the JVM.

Remediation

Immediately disable JDWP on all production systems. Verify that Java applications are not started with debugging flags such as -agentlib:jdwp, -Xdebug, or -Xrunjdwp. Review application startup scripts, systemd service files, and container configurations to ensure these parameters are removed.

If debugging is required in non-production environments, restrict access using the following measures:
1. Bind JDWP only to localhost by using address=127.0.0.1:port instead of address=*:port
2. Implement network-level access controls (firewall rules, security groups) to restrict access to authorized IP addresses only
3. Use SSH tunneling or VPN connections for remote debugging sessions
4. Ensure debugging is disabled before deploying to production environments through automated configuration validation

Example of insecure configuration to remove:

java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 -jar application.jar

java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=127.0.0.1:5005 -jar application.jar

References

Related Vulnerabilities