Details

    • Type: Bug
    • Status: Closed
    • Resolution: Won't Fix
    • Affects Version/s: 6.2.3 CE GA4, 7.0.X, Master
    • Fix Version/s: None
    • Component/s: Application Security
    • Labels:
      None
    • JDK:
      Oracle Sun JDK 7
    • Application Servers:
      Apache Tomcat 7.0.42
    • Browsers:
      Chrome (latest), Firefox (latest), Internet Explorer 11
    • Databases:
      Oracle Database 12c Release 1
    • Device Type:
      Tablet, Smartphone, Desktop

      Description

      An RMI registry is listening on the remote host.

      The remote host is running an RMI registry, which acts as a bootstrap naming service for registering and retrieving remote objects with simple names in the Java Remote Method Invocation (RMI) system.
      Allowing unauthenticated access to RMI may open the server up to Java deserialization attacks, allowing various levels of access to the server, including remote command execution.

      We noticed a random port is started by liferay. We suspect this is RMI service.

      What we want:

      Either

      1. Change listen addresse (0.0.0.0.0)
      2. Change port (60570)

      https://web.liferay.com/community/forums/-/message_boards/message/68271739

      According to this forum a random port is started and is used by JVM’s RMI connector.

      The forum also suggest several fixes. I have tried them all without any success.

      The random port is still running whatever I do. I can’t even change it to listen to localhost or another port.

       

      This is another link with similar fix:

      https://web.liferay.com/web/thiago.moreira/blog/-/blogs/how-to-monitor-liferay-tomcat-remotely-through-firewalls-using-visualvm

      Not working for me.

       

      https://bugs.openjdk.java.net/browse/JDK-8035404

      This link also have the same issue but no fixes that works for me.

      However, from what I read when they trying to connect to the local port from a remote machine a proper exception is thrown and the connection is denied.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 5 days ago

                Packages

                Version Package