Resolution: Won't Fix
Affects Version/s: 6.2.3 CE GA4, 7.0.X, Master
Fix Version/s: None
Component/s: Application Security
JDK:Oracle Sun JDK 7
Application Servers:Apache Tomcat 7.0.42
Browsers:Chrome (latest), Firefox (latest), Internet Explorer 11
Databases:Oracle Database 12c Release 1
Device Type:Tablet, Smartphone, Desktop
An RMI registry is listening on the remote host.
The remote host is running an RMI registry, which acts as a bootstrap naming service for registering and retrieving remote objects with simple names in the Java Remote Method Invocation (RMI) system.
Allowing unauthenticated access to RMI may open the server up to Java deserialization attacks, allowing various levels of access to the server, including remote command execution.
We noticed a random port is started by liferay. We suspect this is RMI service.
What we want:
- Change listen addresse (0.0.0.0.0)
- Change port (60570)
According to this forum a random port is started and is used by JVM’s RMI connector.
The forum also suggest several fixes. I have tried them all without any success.
The random port is still running whatever I do. I can’t even change it to listen to localhost or another port.
This is another link with similar fix:
Not working for me.
This link also have the same issue but no fixes that works for me.
However, from what I read when they trying to connect to the local port from a remote machine a proper exception is thrown and the connection is denied.