ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-01-01 18:56:44 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Turns out HTTP server used by Jolokia

Browse Source
This commit is contained in:
rick.parker 2023-04-13 13:23:22 +01:00
parent b6800f5282
commit 65b92f43d0
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
tools/cliutils/src/main/resources/mods.properties
View File

@ -23,11 +23,11 @@ RMI.java.rmi.server.RemoteObject.RemoteObject=throw new java.lang.RuntimeExcepti
# JDK HTTP Server
# ---------------
# The JDK HTTP server is intended for quick testing, especially for platform beginners. It is rarely (if
# ever) used in production, so we can eliminate this little bit of attack surface.
HTTPSERVER.com.sun.net.httpserver.HttpServer.HttpServer=throw new java.lang.RuntimeException("HTTP server creation blocked by aegis4j");
HTTPSERVER.com.sun.net.httpserver.HttpsServer.HttpsServer=throw new java.lang.RuntimeException("HTTPS server creation blocked by aegis4j");
HTTPSERVER.com.sun.net.httpserver.spi.HttpServerProvider.HttpServerProvider=throw new java.lang.RuntimeException("HTTP server provider creation blocked by aegis4j");
HTTPSERVER.com.sun.net.httpserver.spi.HttpServerProvider.provider=throw new java.lang.RuntimeException("HTTP server provider lookup blocked by aegis4j");
# ever) used in production, so we can eliminate this little bit of attack surface. Turns out used by Jolokia.
#HTTPSERVER.com.sun.net.httpserver.HttpServer.HttpServer=throw new java.lang.RuntimeException("HTTP server creation blocked by aegis4j");
#HTTPSERVER.com.sun.net.httpserver.HttpsServer.HttpsServer=throw new java.lang.RuntimeException("HTTPS server creation blocked by aegis4j");
#HTTPSERVER.com.sun.net.httpserver.spi.HttpServerProvider.HttpServerProvider=throw new java.lang.RuntimeException("HTTP server provider creation blocked by aegis4j");
#HTTPSERVER.com.sun.net.httpserver.spi.HttpServerProvider.provider=throw new java.lang.RuntimeException("HTTP server provider lookup blocked by aegis4j");
# Java Serialization
# ------------------
# Probably a bit more commonly used than most of the other features on this list, but a huge security
@ -68,3 +68,5 @@ NETTYHTTP.org.jboss.netty.handler.codec.http.HttpMessageDecoder.HttpMessageDecod
H2.org.h2.server.web.WebServlet.WebServlet=throw new java.lang.RuntimeException("H2 Console blocked by aegis4j");
# CVE-2021-23463
H2.org.h2.jdbc.JdbcSQLXML.getSource=throw new java.lang.RuntimeException("H2 SQL XML blocked by aegis4j");
# CVE-2022-0839
#LIQUIBASE.liquibase.parser.core.xml.XMLChangeLogSAXParser.parseToNode=saxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);