You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@uima.apache.org by "Jerry Cwiklik (JIRA)" <de...@uima.apache.org> on 2017/11/01 19:00:02 UTC
[jira] [Updated] (UIMA-5636) UIMA-DUCC: restrict JMX access when
running with older java
[ https://issues.apache.org/jira/browse/UIMA-5636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jerry Cwiklik updated UIMA-5636:
--------------------------------
Description:
Older java contain JMX related security vulnerability as described by CVE-2016-3427. DUCC processes run with JMX enabled by default and the java vulnerability can be exploited.
The main fix is to run with a newer java. These are the versions of java that contain the fix:
IBM - 1.7.0.9.40, 1.7.1.3_40, 1.8.0.3.0
Oracle (Sun) - 1.7.0_101+, 1.8.0_91+
Java 9 (Oracle & IBM)
Ducc code should introspect java version at runtime and lock down JMX when running with a version that is known to have the vulnerability. External JMX access should not be allowed.
was:
Older java contain JMX related security vulnerability as described by CVE-2016-3427. DUCC processes run with JMX enabled by default and the java vulnerability can be exploited.
The main fix is to run with a newer java. These are the versions of java that contain the fix:
IBM - 1.7.0.40, 1.7.1.3_40, 1.8.0.3.0
Oracle (Sun) - 1.7.0_101+, 1.8.0_91+
Java 9 (Oracle & IBM)
Ducc code should introspect java version at runtime and lock down JMX when running with a version that is known to have the vulnerability. External JMX access should not be allowed.
> UIMA-DUCC: restrict JMX access when running with older java
> -----------------------------------------------------------
>
> Key: UIMA-5636
> URL: https://issues.apache.org/jira/browse/UIMA-5636
> Project: UIMA
> Issue Type: Improvement
> Components: DUCC
> Reporter: Jerry Cwiklik
> Assignee: Jerry Cwiklik
> Fix For: 2.2.2-Ducc
>
>
> Older java contain JMX related security vulnerability as described by CVE-2016-3427. DUCC processes run with JMX enabled by default and the java vulnerability can be exploited.
> The main fix is to run with a newer java. These are the versions of java that contain the fix:
> IBM - 1.7.0.9.40, 1.7.1.3_40, 1.8.0.3.0
> Oracle (Sun) - 1.7.0_101+, 1.8.0_91+
> Java 9 (Oracle & IBM)
> Ducc code should introspect java version at runtime and lock down JMX when running with a version that is known to have the vulnerability. External JMX access should not be allowed.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)