You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2016/05/24 14:06:20 UTC

[SECURITY] Java Deserialization, JMX and CVE-2016-3427

TL;DR
If you use remote JMX, you need to update your JVM to address CVE-2016-3427

For the longer version, see the blog post I just published on this:
http://engineering.pivotal.io/post/java-deserialization-jmx/

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David,

On 5/25/16 11:41 AM, David kerber wrote:
> On 5/25/2016 11:12 AM, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> Mark,
>> 
>> On 5/24/16 10:06 AM, Mark Thomas wrote:
>>> TL;DR If you use remote JMX, you need to update your JVM to
>>> address CVE-2016-3427
>>> 
>>> For the longer version, see the blog post I just published on 
>>> this:
>>> http://engineering.pivotal.io/post/java-deserialization-jmx/
>> 
>> Okay, I give up: what version of Java 8 actually has this patch? 
>> Oracle's site gives me the runaround and tells me that it's been
>> patched in April, but I have no idea what version of Java was
>> published in April, and Oracle's site seems very reticent to tell
>> me :(
>> 
>> The CVEs have virtuall no information other than "something bad
>> exists in some versions of some stuff, and you should upgrade".
>> Upgrade to what ?
> 
> Wouldn't it just be the latest?

Presumably so, but do you really want to read between the lines for a
security advisory? This should be much more clear to the reader. At
face value, it appears that precisely 5 versions are effected, when
the truth is much worse.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFyhgACgkQ9CaO5/Lv0PBPigCgmCNXhA/kEiJRI5J5sUVunKmG
VNgAmwcBS1DRQy9NBnQRoARFdLbUqHu6
=TuoZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by David kerber <dc...@verizon.net>.

On 5/25/2016 11:12 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark,
>
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
>>
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
>
> Okay, I give up: what version of Java 8 actually has this patch?
> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
>
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

Wouldn't it just be the latest?



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Christopher Schultz [mailto:chris@christopherschultz.net] 
> Subject: Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

> "Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9"

> I have Java 1.8.0_91. Am I affected?

No.

> What about if I had Java 1.8.0_60?

Yes.

> That doesn't give a version range. It makes it seem like only that
> version number was affected. It also doesn't say what version has the
> fix.

Oracle has certainly made a mess of it.  (Among other things, they decided to co-opt the acronym "CPU", intending it to stand for "Critical Patch Update"; I guess they were unaware it had any prior meaning.)

As far as the affected versions go, that column means the specified version and all priors are impacted, and all later versions include the fix.  Not at all clear.

> What if you are on a beta-release schedule and you have out-of-band
> updates from the public ones?

Then you get direct weekly e-mails from Oracle describing what's in each CPU, when it will be available, and what build number it will be.

> What about Java 9?

That's included in the e-mails mentioned above.  It's still in major flux, so no one should be using it in production or anywhere else that can be accessed from the internet.

> What about Java 5?

Not supported, unless you pay lots of money, in which case you get e-mails.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Woonsan,

On 5/25/16 11:29 AM, Woonsan Ko wrote:
> On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
> Mark,
> 
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>>>> TL;DR If you use remote JMX, you need to update your JVM to address
>>>> CVE-2016-3427
>>>>
>>>> For the longer version, see the blog post I just published on
>>>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
> 
> Okay, I give up: what version of Java 8 actually has this patch?
> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
> 
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?
> 
>> When I clicked on the CVE link and the link to oracle page onward in
>> the Reference section
>> (CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html),
>> I could see the Java version ("Supported Versions Affected" column) in
>> the table when I look up "CVE-2016-3427".

Right:

"Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9"

I have Java 1.8.0_91. Am I affected? What about if I had Java 1.8.0_60?

That doesn't give a version range. It makes it seem like only that
version number was affected. It also doesn't say what version has the
fix. What if you are on a beta-release schedule and you have out-of-band
updates from the public ones? What about Java 9? What about Java 5?

The documentation is just horrible.

-chris

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Woonsan Ko <wo...@apache.org>.

On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark,
>
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
>>
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
>
> Okay, I give up: what version of Java 8 actually has this patch?
> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
>
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

When I clicked on the CVE link and the link to oracle page onward in
the Reference section
(CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html),
I could see the Java version ("Supported Versions Affected" column) in
the table when I look up "CVE-2016-3427".

>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74
> tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9
> =g9B3
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Woonsan Ko <wo...@apache.org>.

On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark,
>
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
>>
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
>
> Okay, I give up: what version of Java 8 actually has this patch?
> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
>
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

When I clicked on the CVE link and the link to oracle page onward in
the Reference section
(CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html),
I could see the Java version ("Supported Versions Affected" column) in
the table when I look up "CVE-2016-3427".

>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74
> tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9
> =g9B3
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Daniel Savard <da...@gmail.com>.

2016-05-25 13:42 GMT-04:00 Mark Thomas <ma...@apache.org>:
(...)

> For example, this issue only applies if you are using JMX/RMI. If you
> are, it is likely to be a significant risk. If you aren't, it won't
> affect you. One of the reasons I published that blog post was to provide
> folks with the information they need to figure out whether this affects
> them or not.
>
> Mark
>

In doubt, I usually prefer to upgrade to latest version. I see no reason to
stick to a lower version unless a specific bug is know and has been
introduced into the latest version.

-----------------
Daniel Savard

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Mark Thomas <ma...@apache.org>.

On 25/05/2016 16:12, Christopher Schultz wrote:
> Mark,
> 
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
> 
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
> 
> Okay, I give up: what version of Java 8 actually has this patch?

8u91 onwards.

If you want the fix in an early Java version then you'll need to be
paying Oracle $$$ for extended Java support

> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
> 
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

At least you can derive that form public information. What annoys me far
more is that Oracle provide next to no detail with their CVE
announcements so it is impossible for a user to determine if the issue
affects them or not.

For example, this issue only applies if you are using JMX/RMI. If you
are, it is likely to be a significant risk. If you aren't, it won't
affect you. One of the reasons I published that blog post was to provide
folks with the information they need to figure out whether this affects
them or not.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Mark Thomas <ma...@apache.org>.

On 25/05/2016 16:12, Christopher Schultz wrote:
> Mark,
> 
> On 5/24/16 10:06 AM, Mark Thomas wrote:
>> TL;DR If you use remote JMX, you need to update your JVM to address
>> CVE-2016-3427
> 
>> For the longer version, see the blog post I just published on
>> this: http://engineering.pivotal.io/post/java-deserialization-jmx/
> 
> Okay, I give up: what version of Java 8 actually has this patch?

8u91 onwards.

If you want the fix in an early Java version then you'll need to be
paying Oracle $$$ for extended Java support

> Oracle's site gives me the runaround and tells me that it's been patched
> in April, but I have no idea what version of Java was published in
> April, and Oracle's site seems very reticent to tell me :(
> 
> The CVEs have virtuall no information other than "something bad exists
> in some versions of some stuff, and you should upgrade". Upgrade to what
> ?

At least you can derive that form public information. What annoys me far
more is that Oracle provide next to no detail with their CVE
announcements so it is impossible for a user to determine if the issue
affects them or not.

For example, this issue only applies if you are using JMX/RMI. If you
are, it is likely to be a significant risk. If you aren't, it won't
affect you. One of the reasons I published that blog post was to provide
folks with the information they need to figure out whether this affects
them or not.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 5/24/16 10:06 AM, Mark Thomas wrote:
> TL;DR If you use remote JMX, you need to update your JVM to address
> CVE-2016-3427
> 
> For the longer version, see the blog post I just published on
> this: http://engineering.pivotal.io/post/java-deserialization-jmx/

Okay, I give up: what version of Java 8 actually has this patch?
Oracle's site gives me the runaround and tells me that it's been patched
in April, but I have no idea what version of Java was published in
April, and Oracle's site seems very reticent to tell me :(

The CVEs have virtuall no information other than "something bad exists
in some versions of some stuff, and you should upgrade". Upgrade to what
?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74
tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9
=g9B3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 5/24/16 10:06 AM, Mark Thomas wrote:
> TL;DR If you use remote JMX, you need to update your JVM to address
> CVE-2016-3427
> 
> For the longer version, see the blog post I just published on
> this: http://engineering.pivotal.io/post/java-deserialization-jmx/

Okay, I give up: what version of Java 8 actually has this patch?
Oracle's site gives me the runaround and tells me that it's been patched
in April, but I have no idea what version of Java was published in
April, and Oracle's site seems very reticent to tell me :(

The CVEs have virtuall no information other than "something bad exists
in some versions of some stuff, and you should upgrade". Upgrade to what
?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74
tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9
=g9B3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org