The AS Java’s processes run in a Java Virtual Machine (JVM), which means that any security aspects that apply to the virtual machine also affect the security of the AS Java.
Java's security model defines the security concept and the mechanisms incorporated in the JVM. The Java security model is focused on protecting users from hostile programs downloaded from untrusted sources by providing a customizable sandbox in which Java programs run. The sandbox security model represents a shell that surrounds a running Java program and protects the host system from malicious code. Thus, because of the safety features defined by Java’s security model and incorporated in the JVM, running programs can access system resources only in safe and structured ways.
Java applications running in the JVM sandbox can also access native functions of the operating system where the sandbox runs. The security mechanisms of the JVM can establish whether a function can perform such access, however, they do not guard against malicious consequences from calling such native methods or software vulnerabilities in the application code of the JVM itself.
Therefore, we recommend that you follow the latest updates of JVM and install the latest patches provided by your virtual machine or operating system vendor.
The SAP JVM offers a debugging on demand feature, enabling debugging of Java programs without restart of the Java VM. With Java debugging, one can possibly get an insight into the confidential data of Java programs. In addition, the Java debug protocol (JDWP) allows a wide range of control over the Java VM. An attacker can therefore harm a Java program or Java application server utilizing the Java VM debugging feature.
Debugging can only be enabled by the user that has started the SAP JVM. In addition, the user has to have write-permission for the Java launcher program on UNIX/Linux operating systems, or System Administrator authorizations on Microsoft Windows operating systems.
We recommend you protect your JVM with a network firewall, thereby disabling possible attacks on Java debug ports. The ports used for debugging are:
In a standalone SAP JVM (not embedded in the AS Java)
● Without command line option, the default ports used are 8000 up to 8100, dependent on the number of concurrently-used SAP JVM instances for debugging.
● With command line option –XdebugPortRange, the ports that are configured with the option (from)[-(to)] are used.
In the SAP JVM used in an AS Java, the debug port range is configured with the AS Java Config Tool.
Debugging can be turned off with the parameter XX:-EnableDebuggingOnDemand using the command line in the standalone scenario or with the AS Java Config Tool.
SAP Note: 1029914