Davi, If you look at the security issues, they mostly come down to the same thing: the sandbox isn't secure. Instead of running applets or web applications in a locked down environment, malicious code can get out and access private data, manipulate the filesystem, get out on the network, etc.
As a result of sandbox vulnerabilities, Java sandbox attacks are the #1 way to exploit client machines, with flash 0-days following straight after. I wouldn't recommend anyone having java 6 on their desktop, and even with java 7u51 "signed apps only" installed, I'd go to the java properties and disable applets. Then go to firefox and chrome and disable the java plugin, before going to IE and changing the ActiveX security policy to "never download". next: install flashblock so you don't get flash loading except on sites you trust, and set your RSS feader up to subscribe to https://isc.sans.edu/ to get alerts. Because if you don't do that, your desktops are not secure. But that has nothing to do with server-side security: people aren't running sandbox applets in their Java cluster. So that's not the risk. Stability of running code is more of an issue, and thats where the pressure of patching java client code to fix 0-day exploits comes into direct conflict with the need for server stability. Client security holes: fast patch, minimal testing, ship ASAP. Stable: test for a while and make sure things don't crash or leak. Hadoop installations tend to be trailing edge, because the latter matters more in a hadoop cluster. And that's where we are today: some people like java6 because it is stable. Hadoop is tested on it and it works. Hadoop also now appears to work well on java7 and openjdk7. I think everyone who can should move to either of those, as its where the stability patches go in, its got lots of performance improvements -as well as the API and library changes we are discussing. What I don't see us doing is telling people who are using branch-2 releases on java 6 to upgrade on a point release. That just increases the risk of the upgrade -and may just hold them back from updating hadoop itself, -steve If there is an issue with java6, it is "who has it on their machines for builds"? I don't, but I have one linux VM with Java6 -and another with java 8. On 8 April 2014 10:00, Ottenheimer, Davi <[email protected]> wrote: > > > Hi Eli, > > Technically you are correct those with extended support get critical > security fixes for 6 until the end of 2016. I am curious whether many of > those are in the Hadoop user base. Do you know? My guess is the vast > majority are within Oracle's official public end of life, which was over 12 > months ago. Even Premier support ended Dec 2013: > > http://www.oracle.com/technetwork/java/eol-135779.html > > The end of Java 6 support carries much risk. It has to be considered in > terms of serious security vulnerabilities such as CVE-2013-2465 with CVSS > score 10.0. > > http://www.cvedetails.com/cve/CVE-2013-2465/ > > Since you mentioned "caused systems to stop" as an example of what would > be a concern to Hadoop users, please note the CVE-2013-2465 availability > impact: > > "Complete (There is a total shutdown of the affected resource. The > attacker can render the resource completely unavailable.)" > > This vulnerability was patched in Java 6 Update 51, but post end of life. > Apple pushed out the update specifically because of this vulnerability ( > http://support.apple.com/kb/HT5717) as did some other vendors privately, > but for the majority of people using Java 6 means they have a ticking time > bomb. > > Allowing it to stay should be considered in terms of accepting the whole > risk posture. > > Davi > -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
