Is the inter process communication interface secure?

System information:

• OS: Linux Slackware 64 -current
• DBeaver version 7.3.0

Connection specification:

Does not apply

Describe the problem you’re observing:

At startup, DBeaverInstanceServer looks up a random free tcp port between 20000 and 65000, opens it and bind an RMI server that seems to be used as a way of inter-process communication. It looks like it’s not that secure, since:

• it binds to any available interface, even public ones
• no credentials are needed to use it
• it exports remote methods like openExternalFiles, openDatabaseConnection, executeWorkbenchCommand or just quit

If I understand it correctly, the only implemented mitigation is the choice of a random port that gets saved in a text file in order for other instances to know what port to look for. I can see two different problems here:

• a local one, where an user on a system can look up the port used by the java process of another user and just control the DBeaver instance that the other user is running.
• a remote one, where a malicious user can basically gain remote code execution using DBeaver as a trampoline.

About the second problem, I expect you to tell me that any firewall would block remote access to that port. I have two notes on this:

• https://docs.oracle.com/javase/8/docs/technotes/guides/rmi/rmi_security_recommendations.html
• I can imagine an unskilled user having connection problems to a database that tries to create a firewall exception for DBeaver in order to see if it fixes his problems.

Thank you and sorry if I made any wrong assumption here.