Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
On 25/05/2016 16:12, Christopher Schultz wrote: > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 > >> For the longer version, see the blog post I just published on >> this: http://engineering.pivotal.io/post/java-deserialization-jmx/ > > Okay, I give up: what version of Java 8 actually has this patch? 8u91 onwards. If you want the fix in an early Java version then you'll need to be paying Oracle $$$ for extended Java support > Oracle's site gives me the runaround and tells me that it's been patched > in April, but I have no idea what version of Java was published in > April, and Oracle's site seems very reticent to tell me :( > > The CVEs have virtuall no information other than "something bad exists > in some versions of some stuff, and you should upgrade". Upgrade to what > ? At least you can derive that form public information. What annoys me far more is that Oracle provide next to no detail with their CVE announcements so it is impossible for a user to determine if the issue affects them or not. For example, this issue only applies if you are using JMX/RMI. If you are, it is likely to be a significant risk. If you aren't, it won't affect you. One of the reasons I published that blog post was to provide folks with the information they need to figure out whether this affects them or not. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427 > "Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9" > I have Java 1.8.0_91. Am I affected? No. > What about if I had Java 1.8.0_60? Yes. > That doesn't give a version range. It makes it seem like only that > version number was affected. It also doesn't say what version has the > fix. Oracle has certainly made a mess of it. (Among other things, they decided to co-opt the acronym "CPU", intending it to stand for "Critical Patch Update"; I guess they were unaware it had any prior meaning.) As far as the affected versions go, that column means the specified version and all priors are impacted, and all later versions include the fix. Not at all clear. > What if you are on a beta-release schedule and you have out-of-band > updates from the public ones? Then you get direct weekly e-mails from Oracle describing what's in each CPU, when it will be available, and what build number it will be. > What about Java 9? That's included in the e-mails mentioned above. It's still in major flux, so no one should be using it in production or anywhere else that can be accessed from the internet. > What about Java 5? Not supported, unless you pay lots of money, in which case you get e-mails. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
Woonsan, On 5/25/16 11:29 AM, Woonsan Ko wrote: > On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz >wrote: > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: TL;DR If you use remote JMX, you need to update your JVM to address CVE-2016-3427 For the longer version, see the blog post I just published on this: http://engineering.pivotal.io/post/java-deserialization-jmx/ > > Okay, I give up: what version of Java 8 actually has this patch? > Oracle's site gives me the runaround and tells me that it's been patched > in April, but I have no idea what version of Java was published in > April, and Oracle's site seems very reticent to tell me :( > > The CVEs have virtuall no information other than "something bad exists > in some versions of some stuff, and you should upgrade". Upgrade to what > ? > >> When I clicked on the CVE link and the link to oracle page onward in >> the Reference section >> (CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html), >> I could see the Java version ("Supported Versions Affected" column) in >> the table when I look up "CVE-2016-3427". Right: "Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9" I have Java 1.8.0_91. Am I affected? What about if I had Java 1.8.0_60? That doesn't give a version range. It makes it seem like only that version number was affected. It also doesn't say what version has the fix. What if you are on a beta-release schedule and you have out-of-band updates from the public ones? What about Java 9? What about Java 5? The documentation is just horrible. -chris signature.asc Description: OpenPGP digital signature
Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
On Wed, May 25, 2016 at 11:12 AM, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 >> >> For the longer version, see the blog post I just published on >> this: http://engineering.pivotal.io/post/java-deserialization-jmx/ > > Okay, I give up: what version of Java 8 actually has this patch? > Oracle's site gives me the runaround and tells me that it's been patched > in April, but I have no idea what version of Java was published in > April, and Oracle's site seems very reticent to tell me :( > > The CVEs have virtuall no information other than "something bad exists > in some versions of some stuff, and you should upgrade". Upgrade to what > ? When I clicked on the CVE link and the link to oracle page onward in the Reference section (CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html), I could see the Java version ("Supported Versions Affected" column) in the table when I look up "CVE-2016-3427". > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74 > tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9 > =g9B3 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 5/24/16 10:06 AM, Mark Thomas wrote: > TL;DR If you use remote JMX, you need to update your JVM to address > CVE-2016-3427 > > For the longer version, see the blog post I just published on > this: http://engineering.pivotal.io/post/java-deserialization-jmx/ Okay, I give up: what version of Java 8 actually has this patch? Oracle's site gives me the runaround and tells me that it's been patched in April, but I have no idea what version of Java was published in April, and Oracle's site seems very reticent to tell me :( The CVEs have virtuall no information other than "something bad exists in some versions of some stuff, and you should upgrade". Upgrade to what ? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74 tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9 =g9B3 -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] Java Deserialization, JMX and CVE-2016-3427
TL;DR If you use remote JMX, you need to update your JVM to address CVE-2016-3427 For the longer version, see the blog post I just published on this: http://engineering.pivotal.io/post/java-deserialization-jmx/ Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org