Repository: james-project Updated Branches: refs/heads/master c5cccba0b -> 0b392543d
JAMES-2197 Add notes in security page Project: http://git-wip-us.apache.org/repos/asf/james-project/repo Commit: http://git-wip-us.apache.org/repos/asf/james-project/commit/0b392543 Tree: http://git-wip-us.apache.org/repos/asf/james-project/tree/0b392543 Diff: http://git-wip-us.apache.org/repos/asf/james-project/diff/0b392543 Branch: refs/heads/master Commit: 0b392543d1b544f475e7ccf89a261b7ddcea329c Parents: 524da5a Author: benwa <[email protected]> Authored: Fri Oct 20 10:53:28 2017 +0700 Committer: Matthieu Baechler <[email protected]> Committed: Fri Oct 20 15:11:27 2017 +0200 ---------------------------------------------------------------------- src/site/xdoc/server/feature-security.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/james-project/blob/0b392543/src/site/xdoc/server/feature-security.xml ---------------------------------------------------------------------- diff --git a/src/site/xdoc/server/feature-security.xml b/src/site/xdoc/server/feature-security.xml index 9809ee3..cea28e3 100644 --- a/src/site/xdoc/server/feature-security.xml +++ b/src/site/xdoc/server/feature-security.xml @@ -44,6 +44,22 @@ <p>Apache James Server supports different user storage (<a href="config-users.html">read more</a>) - LDAP support is partail (work in progress).</p> </section> + + <section name="Reported vulnerabilities"> + <subsection name="Apache James 3.0.0"> + <p>The Apache James Server version 3.0.0 is vulnerable to Java deserialization issues.</p> + <p>One can use this for privilege escalation.</p> + <p>This issue can be mitigated by:</p> + <ul> + <li>Upgrading to James 3.0.1</li> + <li>Using a recent JRE (Exploit could not be reproduced on OpenJdk 8 u141)</li> + <li>Exposing JMX socket only to localhost (default behaviour)</li> + <li>Possibly running James in a container</li> + </ul> + <p>Read more <a href="http://james.apache.org//james/update/2017/10/20/james-3.0.1.html";>here</a>.</p> + </subsection> + + </section> </body> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
