Repository: james-site Updated Branches: refs/heads/asf-site 1b35e747e -> 2e4488235
Add notes in security page Project: http://git-wip-us.apache.org/repos/asf/james-site/repo Commit: http://git-wip-us.apache.org/repos/asf/james-site/commit/2e448823 Tree: http://git-wip-us.apache.org/repos/asf/james-site/tree/2e448823 Diff: http://git-wip-us.apache.org/repos/asf/james-site/diff/2e448823 Branch: refs/heads/asf-site Commit: 2e448823563637f0fe598348703dc65da5bffd24 Parents: 1b35e74 Author: Antoine Duprat <[email protected]> Authored: Wed Oct 25 16:29:11 2017 +0200 Committer: Antoine Duprat <[email protected]> Committed: Wed Oct 25 16:29:11 2017 +0200 ---------------------------------------------------------------------- content/server/3/feature-security.html | 30 ++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/james-site/blob/2e448823/content/server/3/feature-security.html ---------------------------------------------------------------------- diff --git a/content/server/3/feature-security.html b/content/server/3/feature-security.html index 0d540b7..29600c8 100644 --- a/content/server/3/feature-security.html +++ b/content/server/3/feature-security.html @@ -315,7 +315,35 @@ <p>Apache James Server supports different user storage (<a href="config-users.html">read more</a>) - LDAP support is partail (work in progress).</p> </div> - + + +<div class="section"> +<h2><a name="Reported_vulnerabilities"></a>Reported vulnerabilities</h2> + +<div class="section"> +<h3><a name="Apache_James_3.0.0"></a>Apache James 3.0.0</h3> + +<p>The Apache James Server version 3.0.0 is vulnerable to Java deserialization issues.</p> + +<p>One can use this for privilege escalation.</p> + +<p>This issue can be mitigated by:</p> + +<ul> + +<li>Upgrading to James 3.0.1</li> + +<li>Using a recent JRE (Exploit could not be reproduced on OpenJdk 8 u141)</li> + +<li>Exposing JMX socket only to localhost (default behaviour)</li> + +<li>Possibly running James in a container</li> + </ul> + +<p>Read more <a class="externalLink" href="http://james.apache.org//james/update/2017/10/20/james-3.0.1.html";>here</a>.</p> + </div> + + </div> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
