hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ottenheimer, Davi" <Davi.Ottenhei...@emc.com>
Subject RE: Plans of moving towards JDK7 in trunk
Date Tue, 08 Apr 2014 09:00:45 GMT
> From: Eli Collins [mailto:eli@cloudera.com]
> Sent: Monday, April 07, 2014 11:54 AM
> 
> 
> IMO we should not drop support for Java 6 in a minor update of a stable
> release (v2).  I don't think the larger Hadoop user base would find it
> acceptable that upgrading to a minor update caused their systems to stop
> working because they didn't upgrade Java. There are people still getting
> support for Java 6. ...
> 
> Thanks,
> Eli

Hi Eli, 

Technically you are correct those with extended support get critical security fixes for 6
until the end of 2016. I am curious whether many of those are in the Hadoop user base. Do
you know? My guess is the vast majority are within Oracle's official public end of life, which
was over 12 months ago. Even Premier support ended Dec 2013:

http://www.oracle.com/technetwork/java/eol-135779.html

The end of Java 6 support carries much risk. It has to be considered in terms of serious security
vulnerabilities such as CVE-2013-2465 with CVSS score 10.0. 

http://www.cvedetails.com/cve/CVE-2013-2465/

Since you mentioned "caused systems to stop" as an example of what would be a concern to Hadoop
users, please note the CVE-2013-2465 availability impact:

"Complete (There is a total shutdown of the affected resource. The attacker can render the
resource completely unavailable.)"

This vulnerability was patched in Java 6 Update 51, but post end of life. Apple pushed out
the update specifically because of this vulnerability (http://support.apple.com/kb/HT5717)
as did some other vendors privately, but for the majority of people using Java 6 means they
have a ticking time bomb. 

Allowing it to stay should be considered in terms of accepting the whole risk posture.

Davi

Mime
View raw message