Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

[Daniel Savard]

2016-05-25 13:42 GMT-04:00 Mark Thomas :
(...)

> For example, this issue only applies if you are using JMX/RMI. If you
> are, it is likely to be a significant risk. If you aren't, it won't
> affect you. One of the reasons I published that blog post was to provide
> folks with the information they need to figure out whether this affects
> them or not.
>
> Mark
>

In doubt, I usually prefer to upgrade to latest version. I see no reason to
stick to a lower version unless a specific bug is know and has been
introduced into the latest version.

-
Daniel Savard

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

[Mark Thomas]

On 25/05/2016 16:12, Christopher Schultz wrote:
> Mark,
> 
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
> 
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
> 
> Okay, I give up: what version of Java 8 actually has this patch?

8u91 onwards.

If you want the fix in an early Java version then you'll need to be
paying Oracle $$$ for extended Java support

> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
> 
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

At least you can derive that form public information. What annoys me far
more is that Oracle provide next to no detail with their CVE
announcements so it is impossible for a user to determine if the issue
affects them or not.

For example, this issue only applies if you are using JMX/RMI. If you
are, it is likely to be a significant risk. If you aren't, it won't
affect you. One of the reasons I published that blog post was to provide
folks with the information they need to figure out whether this affects
them or not.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David,

On 5/25/16 11:41 AM, David kerber wrote:
> On 5/25/2016 11:12 AM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> Mark,
>> 
>> On 5/24/16 10:06 AM, Mark Thomas wrote:
>>> TL;DR If you use remote JMX, you need to update your JVM to
>>> address CVE-2016-3427
>>> 
>>> For the longer version, see the blog post I just published on 
>>> this:
>>> http://engineering.pivotal.io/post/java-deserialization-jmx/
>> 
>> Okay, I give up: what version of Java 8 actually has this patch? 
>> Oracle's site gives me the runaround and tells me that it's been
>> patched in April, but I have no idea what version of Java was
>> published in April, and Oracle's site seems very reticent to tell
>> me :(
>> 
>> The CVEs have virtuall no information other than "something bad
>> exists in some versions of some stuff, and you should upgrade".
>> Upgrade to what ?
> 
> Wouldn't it just be the latest?

Presumably so, but do you really want to read between the lines for a
security advisory? This should be much more clear to the reader. At
face value, it appears that precisely 5 versions are effected, when
the truth is much worse.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFyhgACgkQ9CaO5/Lv0PBPigCgmCNXhA/kEiJRI5J5sUVunKmG
VNgAmwcBS1DRQy9NBnQRoARFdLbUqHu6
=TuoZ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

[David kerber]

On 5/25/2016 11:12 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 5/24/16 10:06 AM, Mark Thomas wrote:

TL;DR If you use remote JMX, you need to update your JVM to address
CVE-2016-3427

For the longer version, see the blog post I just published on
this: http://engineering.pivotal.io/post/java-deserialization-jmx/


Okay, I give up: what version of Java 8 actually has this patch?
Oracle's site gives me the runaround and tells me that it's been patched
in April, but I have no idea what version of Java was published in
April, and Oracle's site seems very reticent to tell me :(

The CVEs have virtuall no information other than "something bad exists
in some versions of some stuff, and you should upgrade". Upgrade to what
?


Wouldn't it just be the latest?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

[Woonsan Ko]

On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Mark,
>
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
>>
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
>
> Okay, I give up: what version of Java 8 actually has this patch?
> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
>
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

When I clicked on the CVE link and the link to oracle page onward in
the Reference section
(CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html),
I could see the Java version ("Supported Versions Affected" column) in
the table when I look up "CVE-2016-3427".

>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74
> tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9
> =g9B3
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 5/24/16 10:06 AM, Mark Thomas wrote:
> TL;DR If you use remote JMX, you need to update your JVM to address
> CVE-2016-3427
> 
> For the longer version, see the blog post I just published on
> this: http://engineering.pivotal.io/post/java-deserialization-jmx/

Okay, I give up: what version of Java 8 actually has this patch?
Oracle's site gives me the runaround and tells me that it's been patched
in April, but I have no idea what version of Java was published in
April, and Oracle's site seems very reticent to tell me :(

The CVEs have virtuall no information other than "something bad exists
in some versions of some stuff, and you should upgrade". Upgrade to what
?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74
tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9
=g9B3
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] Java Deserialization, JMX and CVE-2016-3427

[Mark Thomas]

TL;DR
If you use remote JMX, you need to update your JVM to address CVE-2016-3427

For the longer version, see the blog post I just published on this:
http://engineering.pivotal.io/post/java-deserialization-jmx/

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org