Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

2016-05-25 Thread Mark Thomas 
On 25/05/2016 16:12, Christopher Schultz wrote:
> Mark,
> 
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
> 
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
> 
> Okay, I give up: what version of Java 8 actually has this patch?

8u91 onwards.

If you want the fix in an early Java version then you'll need to be
paying Oracle $$$ for extended Java support

> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
> 
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

At least you can derive that form public information. What annoys me far
more is that Oracle provide next to no detail with their CVE
announcements so it is impossible for a user to determine if the issue
affects them or not.

For example, this issue only applies if you are using JMX/RMI. If you
are, it is likely to be a significant risk. If you aren't, it won't
affect you. One of the reasons I published that blog post was to provide
folks with the information they need to figure out whether this affects
them or not.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

2016-05-25 Thread Caldarale, Charles R 
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

> "Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9"

> I have Java 1.8.0_91. Am I affected?

No.

> What about if I had Java 1.8.0_60?

Yes.

> That doesn't give a version range. It makes it seem like only that
> version number was affected. It also doesn't say what version has the
> fix.

Oracle has certainly made a mess of it.  (Among other things, they decided to 
co-opt the acronym "CPU", intending it to stand for "Critical Patch Update"; I 
guess they were unaware it had any prior meaning.)

As far as the affected versions go, that column means the specified version and 
all priors are impacted, and all later versions include the fix.  Not at all 
clear.

> What if you are on a beta-release schedule and you have out-of-band
> updates from the public ones?

Then you get direct weekly e-mails from Oracle describing what's in each CPU, 
when it will be available, and what build number it will be.

> What about Java 9?

That's included in the e-mails mentioned above.  It's still in major flux, so 
no one should be using it in production or anywhere else that can be accessed 
from the internet.

> What about Java 5?

Not supported, unless you pay lots of money, in which case you get e-mails.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

2016-05-25 Thread Christopher Schultz 
Woonsan,

On 5/25/16 11:29 AM, Woonsan Ko wrote:
> On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz
>  wrote:
> Mark,
> 
> On 5/24/16 10:06 AM, Mark Thomas wrote:
 TL;DR If you use remote JMX, you need to update your JVM to address
 CVE-2016-3427

 For the longer version, see the blog post I just published on
 this: http://engineering.pivotal.io/post/java-deserialization-jmx/
> 
> Okay, I give up: what version of Java 8 actually has this patch?
> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
> 
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?
> 
>> When I clicked on the CVE link and the link to oracle page onward in
>> the Reference section
>> (CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html),
>> I could see the Java version ("Supported Versions Affected" column) in
>> the table when I look up "CVE-2016-3427".

Right:

"Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9"

I have Java 1.8.0_91. Am I affected? What about if I had Java 1.8.0_60?

That doesn't give a version range. It makes it seem like only that
version number was affected. It also doesn't say what version has the
fix. What if you are on a beta-release schedule and you have out-of-band
updates from the public ones? What about Java 9? What about Java 5?

The documentation is just horrible.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

2016-05-25 Thread Woonsan Ko 
On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Mark,
>
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
>>
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
>
> Okay, I give up: what version of Java 8 actually has this patch?
> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
>
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

When I clicked on the CVE link and the link to oracle page onward in
the Reference section
(CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html),
I could see the Java version ("Supported Versions Affected" column) in
the table when I look up "CVE-2016-3427".

>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74
> tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9
> =g9B3
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

2016-05-25 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 5/24/16 10:06 AM, Mark Thomas wrote:
> TL;DR If you use remote JMX, you need to update your JVM to address
> CVE-2016-3427
> 
> For the longer version, see the blog post I just published on
> this: http://engineering.pivotal.io/post/java-deserialization-jmx/

Okay, I give up: what version of Java 8 actually has this patch?
Oracle's site gives me the runaround and tells me that it's been patched
in April, but I have no idea what version of Java was published in
April, and Oracle's site seems very reticent to tell me :(

The CVEs have virtuall no information other than "something bad exists
in some versions of some stuff, and you should upgrade". Upgrade to what
?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74
tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9
=g9B3
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] Java Deserialization, JMX and CVE-2016-3427

2016-05-24 Thread Mark Thomas 
TL;DR
If you use remote JMX, you need to update your JVM to address CVE-2016-3427

For the longer version, see the blog post I just published on this:
http://engineering.pivotal.io/post/java-deserialization-jmx/

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org