tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427
Date Wed, 25 May 2016 15:51:52 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David,

On 5/25/16 11:41 AM, David kerber wrote:
> On 5/25/2016 11:12 AM, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> Mark,
>> 
>> On 5/24/16 10:06 AM, Mark Thomas wrote:
>>> TL;DR If you use remote JMX, you need to update your JVM to
>>> address CVE-2016-3427
>>> 
>>> For the longer version, see the blog post I just published on 
>>> this:
>>> http://engineering.pivotal.io/post/java-deserialization-jmx/
>> 
>> Okay, I give up: what version of Java 8 actually has this patch? 
>> Oracle's site gives me the runaround and tells me that it's been
>> patched in April, but I have no idea what version of Java was
>> published in April, and Oracle's site seems very reticent to tell
>> me :(
>> 
>> The CVEs have virtuall no information other than "something bad
>> exists in some versions of some stuff, and you should upgrade".
>> Upgrade to what ?
> 
> Wouldn't it just be the latest?

Presumably so, but do you really want to read between the lines for a
security advisory? This should be much more clear to the reader. At
face value, it appears that precisely 5 versions are effected, when
the truth is much worse.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFyhgACgkQ9CaO5/Lv0PBPigCgmCNXhA/kEiJRI5J5sUVunKmG
VNgAmwcBS1DRQy9NBnQRoARFdLbUqHu6
=TuoZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message