On 25/05/2016 16:12, Christopher Schultz wrote: > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 > >> For the longer version, see the blog post I just published on >> this: http://engineering.pivotal.io/post/java-deserialization-jmx/ > > Okay, I give up: what version of Java 8 actually has this patch?
8u91 onwards. If you want the fix in an early Java version then you'll need to be paying Oracle $$$ for extended Java support > Oracle's site gives me the runaround and tells me that it's been patched > in April, but I have no idea what version of Java was published in > April, and Oracle's site seems very reticent to tell me :( > > The CVEs have virtuall no information other than "something bad exists > in some versions of some stuff, and you should upgrade". Upgrade to what > ? At least you can derive that form public information. What annoys me far more is that Oracle provide next to no detail with their CVE announcements so it is impossible for a user to determine if the issue affects them or not. For example, this issue only applies if you are using JMX/RMI. If you are, it is likely to be a significant risk. If you aren't, it won't affect you. One of the reasons I published that blog post was to provide folks with the information they need to figure out whether this affects them or not. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
