Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
2016-05-25 13:42 GMT-04:00 Mark Thomas: (...) > For example, this issue only applies if you are using JMX/RMI. If you > are, it is likely to be a significant risk. If you aren't, it won't > affect you. One of the reasons I published that blog post was to provide > folks with the information they need to figure out whether this affects > them or not. > > Mark > In doubt, I usually prefer to upgrade to latest version. I see no reason to stick to a lower version unless a specific bug is know and has been introduced into the latest version. - Daniel Savard
Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
On 25/05/2016 16:12, Christopher Schultz wrote: > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 > >> For the longer version, see the blog post I just published on >> this: http://engineering.pivotal.io/post/java-deserialization-jmx/ > > Okay, I give up: what version of Java 8 actually has this patch? 8u91 onwards. If you want the fix in an early Java version then you'll need to be paying Oracle $$$ for extended Java support > Oracle's site gives me the runaround and tells me that it's been patched > in April, but I have no idea what version of Java was published in > April, and Oracle's site seems very reticent to tell me :( > > The CVEs have virtuall no information other than "something bad exists > in some versions of some stuff, and you should upgrade". Upgrade to what > ? At least you can derive that form public information. What annoys me far more is that Oracle provide next to no detail with their CVE announcements so it is impossible for a user to determine if the issue affects them or not. For example, this issue only applies if you are using JMX/RMI. If you are, it is likely to be a significant risk. If you aren't, it won't affect you. One of the reasons I published that blog post was to provide folks with the information they need to figure out whether this affects them or not. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 5/25/16 11:41 AM, David kerber wrote: > On 5/25/2016 11:12 AM, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> Mark, >> >> On 5/24/16 10:06 AM, Mark Thomas wrote: >>> TL;DR If you use remote JMX, you need to update your JVM to >>> address CVE-2016-3427 >>> >>> For the longer version, see the blog post I just published on >>> this: >>> http://engineering.pivotal.io/post/java-deserialization-jmx/ >> >> Okay, I give up: what version of Java 8 actually has this patch? >> Oracle's site gives me the runaround and tells me that it's been >> patched in April, but I have no idea what version of Java was >> published in April, and Oracle's site seems very reticent to tell >> me :( >> >> The CVEs have virtuall no information other than "something bad >> exists in some versions of some stuff, and you should upgrade". >> Upgrade to what ? > > Wouldn't it just be the latest? Presumably so, but do you really want to read between the lines for a security advisory? This should be much more clear to the reader. At face value, it appears that precisely 5 versions are effected, when the truth is much worse. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAldFyhgACgkQ9CaO5/Lv0PBPigCgmCNXhA/kEiJRI5J5sUVunKmG VNgAmwcBS1DRQy9NBnQRoARFdLbUqHu6 =TuoZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
On 5/25/2016 11:12 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 5/24/16 10:06 AM, Mark Thomas wrote: TL;DR If you use remote JMX, you need to update your JVM to address CVE-2016-3427 For the longer version, see the blog post I just published on this: http://engineering.pivotal.io/post/java-deserialization-jmx/ Okay, I give up: what version of Java 8 actually has this patch? Oracle's site gives me the runaround and tells me that it's been patched in April, but I have no idea what version of Java was published in April, and Oracle's site seems very reticent to tell me :( The CVEs have virtuall no information other than "something bad exists in some versions of some stuff, and you should upgrade". Upgrade to what ? Wouldn't it just be the latest? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
On Wed, May 25, 2016 at 11:12 AM, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 >> >> For the longer version, see the blog post I just published on >> this: http://engineering.pivotal.io/post/java-deserialization-jmx/ > > Okay, I give up: what version of Java 8 actually has this patch? > Oracle's site gives me the runaround and tells me that it's been patched > in April, but I have no idea what version of Java was published in > April, and Oracle's site seems very reticent to tell me :( > > The CVEs have virtuall no information other than "something bad exists > in some versions of some stuff, and you should upgrade". Upgrade to what > ? When I clicked on the CVE link and the link to oracle page onward in the Reference section (CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html), I could see the Java version ("Supported Versions Affected" column) in the table when I look up "CVE-2016-3427". > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74 > tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9 > =g9B3 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 5/24/16 10:06 AM, Mark Thomas wrote: > TL;DR If you use remote JMX, you need to update your JVM to address > CVE-2016-3427 > > For the longer version, see the blog post I just published on > this: http://engineering.pivotal.io/post/java-deserialization-jmx/ Okay, I give up: what version of Java 8 actually has this patch? Oracle's site gives me the runaround and tells me that it's been patched in April, but I have no idea what version of Java was published in April, and Oracle's site seems very reticent to tell me :( The CVEs have virtuall no information other than "something bad exists in some versions of some stuff, and you should upgrade". Upgrade to what ? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74 tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9 =g9B3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] Java Deserialization, JMX and CVE-2016-3427
TL;DR If you use remote JMX, you need to update your JVM to address CVE-2016-3427 For the longer version, see the blog post I just published on this: http://engineering.pivotal.io/post/java-deserialization-jmx/ Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org