uima-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry Cwiklik (JIRA)" <...@uima.apache.org>
Subject [jira] [Updated] (UIMA-5636) UIMA-DUCC: restrict JMX access when running with older java
Date Wed, 01 Nov 2017 19:00:02 GMT

     [ https://issues.apache.org/jira/browse/UIMA-5636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jerry Cwiklik updated UIMA-5636:
--------------------------------
    Description: 
Older java contain JMX related security vulnerability as described by CVE-2016-3427. DUCC
processes run with JMX enabled by default and the java vulnerability can be exploited. 
The main fix is to run with a newer java. These are the versions of java that contain the
fix:

   IBM - 1.7.0.9.40, 1.7.1.3_40, 1.8.0.3.0
   Oracle (Sun) - 1.7.0_101+, 1.8.0_91+
   Java 9 (Oracle & IBM)

Ducc code should introspect java version at runtime and lock down JMX when running with a
version that is known to have the vulnerability. External JMX access should not be allowed.

  was:
Older java contain JMX related security vulnerability as described by CVE-2016-3427. DUCC
processes run with JMX enabled by default and the java vulnerability can be exploited. 
The main fix is to run with a newer java. These are the versions of java that contain the
fix:

   IBM - 1.7.0.40, 1.7.1.3_40, 1.8.0.3.0
   Oracle (Sun) - 1.7.0_101+, 1.8.0_91+
   Java 9 (Oracle & IBM)

Ducc code should introspect java version at runtime and lock down JMX when running with a
version that is known to have the vulnerability. External JMX access should not be allowed.


> UIMA-DUCC: restrict JMX access when running with older java
> -----------------------------------------------------------
>
>                 Key: UIMA-5636
>                 URL: https://issues.apache.org/jira/browse/UIMA-5636
>             Project: UIMA
>          Issue Type: Improvement
>          Components: DUCC
>            Reporter: Jerry Cwiklik
>            Assignee: Jerry Cwiklik
>             Fix For: 2.2.2-Ducc
>
>
> Older java contain JMX related security vulnerability as described by CVE-2016-3427.
DUCC processes run with JMX enabled by default and the java vulnerability can be exploited.

> The main fix is to run with a newer java. These are the versions of java that contain
the fix:
>    IBM - 1.7.0.9.40, 1.7.1.3_40, 1.8.0.3.0
>    Oracle (Sun) - 1.7.0_101+, 1.8.0_91+
>    Java 9 (Oracle & IBM)
> Ducc code should introspect java version at runtime and lock down JMX when running with
a version that is known to have the vulnerability. External JMX access should not be allowed.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message