james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From adup...@apache.org
Subject james-site git commit: Add notes in security page
Date Wed, 25 Oct 2017 14:37:04 GMT
Repository: james-site
Updated Branches:
  refs/heads/asf-site 1b35e747e -> 2e4488235


Add notes in security page


Project: http://git-wip-us.apache.org/repos/asf/james-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/james-site/commit/2e448823
Tree: http://git-wip-us.apache.org/repos/asf/james-site/tree/2e448823
Diff: http://git-wip-us.apache.org/repos/asf/james-site/diff/2e448823

Branch: refs/heads/asf-site
Commit: 2e448823563637f0fe598348703dc65da5bffd24
Parents: 1b35e74
Author: Antoine Duprat <aduprat@linagora.com>
Authored: Wed Oct 25 16:29:11 2017 +0200
Committer: Antoine Duprat <aduprat@linagora.com>
Committed: Wed Oct 25 16:29:11 2017 +0200

----------------------------------------------------------------------
 content/server/3/feature-security.html | 30 ++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/james-site/blob/2e448823/content/server/3/feature-security.html
----------------------------------------------------------------------
diff --git a/content/server/3/feature-security.html b/content/server/3/feature-security.html
index 0d540b7..29600c8 100644
--- a/content/server/3/feature-security.html
+++ b/content/server/3/feature-security.html
@@ -315,7 +315,35 @@
 <p>Apache James Server supports different user storage (<a href="config-users.html">read
more</a>) - LDAP support is partail (work in progress).</p>
 
   </div>
-  
+
+    
+<div class="section">
+<h2><a name="Reported_vulnerabilities"></a>Reported vulnerabilities</h2>
+        
+<div class="section">
+<h3><a name="Apache_James_3.0.0"></a>Apache James 3.0.0</h3>
+            
+<p>The Apache James Server version 3.0.0 is vulnerable to Java deserialization issues.</p>
+            
+<p>One can use this for privilege escalation.</p>
+            
+<p>This issue can be mitigated by:</p>
+            
+<ul>
+                
+<li>Upgrading to James 3.0.1</li>
+                
+<li>Using a recent JRE (Exploit could not be reproduced on OpenJdk 8 u141)</li>
+                
+<li>Exposing JMX socket only to localhost (default behaviour)</li>
+                
+<li>Possibly running James in a container</li>
+            </ul>
+            
+<p>Read more <a class="externalLink" href="http://james.apache.org//james/update/2017/10/20/james-3.0.1.html">here</a>.</p>
+        </div>
+
+    </div>  
 
 
 


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message