www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tellier Benoit <btell...@apache.org>
Subject Announce: Apache James 3.0.1 security release
Date Fri, 20 Oct 2017 03:24:22 GMT
Hi everyone,

I, in the name of Apache James PMCs, am glad to announce you the release
version 3.0.1 of Apache James server.

It fixes vulnerability described in CVE-2017-12628. The JMX server, also
used by the command line client is exposed to a java de-serialization
issue, and thus can be used to execute arbitrary commands. As James
exposes JMX socket by default only on local-host, this vulnerability can
only be used for privilege escalation.

Release 3.0.1 upgrades the incriminated library.

Note that you can take additional defensive steps in order to mitigate
this vulnerability:

 - Ensure that you restrict the access to JMX only on local-host
 - Ensure that you are using a recent Java Run-time Environment. For
instance OpenJDK 8 u111 is vulnerable but OpenJDK 8 u 141 is not.
 - You can additionally run James in a container to limit damages of
potential exploits
 - And of course upgrade to the newest 3.0.1 version.

Best regards,

Benoit Tellier

View raw message