JDK-8087189 : RMI server-side multiplex protocol support should be removed
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.rmi
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2015-06-11
  • Updated: 2018-05-31
  • Resolved: 2017-08-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 10
10 b22Fixed
Related Reports
CSR :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8199695 :  
The RMI code supports a disused protocol called the "multiplex" protocol. This was removed by JDK-4183204 in JDK 1.2.2. More history is in JDK-4257730. The latter bug comments indicate that the multiplex protocol was implemented in order to solve a problem that existed in JDK 1.0.2 but that it was no longer necessary and was considered "deprecated" by JDK 1.2.2.

JDK-4183204 removed client initiation of the multiplex protocol but server side support still exists and can probably be exercised. This is a potential security risk.

An initial step would be simply to disable the multiplex protocol processing so that the old code will no longer be invoked. Done in 8158963 for JDK 9.

A second step would be to remove the multiplex support entirely.
Review: http://mail.openjdk.java.net/pipermail/core-libs-dev/2017-August/049095.html