|
Does anyone have the skinny on those Java CVE's? CVE-2014-6601 Java SE Multiple Hotspot Yes 10.0 Network Low None Complete Complete Complete Java SE 6u85, Java SE 7u72, Java SE 8u25 See Note 1 CVE-2015-0412 Java SE Multiple JAX-WS Yes 10.0 Network Low None Complete Complete Complete Java SE 6u85, Java SE 7u72, Java SE 8u25 See Note 1 CVE-2014-6549 Java SE Multiple Libraries Yes 10.0 Network Low None Complete Complete Complete Java SE 8u25 See Note 1 CVE-2015-0408 Java SE Multiple RMI Yes 10.0 Network Low None Complete Complete Complete Java SE 5.0u75, Java SE 6u85, Java SE 7u72, Java SE 8u25 See Note 1 RCE with admin rights but doesn't the Java process itself need to be run as admin for that to work?
|
# ? Jan 21, 2015 13:19 |
|
|
# ? Jun 7, 2024 14:49 |
|
probably why they're listed as low, RCEs are usually
|
# ? Jan 21, 2015 13:23 |
|
infernal machines posted:some people are going to die, horribly. kalstrams posted:russia
|
# ? Jan 21, 2015 13:25 |
|
faxlore posted:probably why they're listed as low, RCEs are usually Oh no that's complexity. They've CVSS 10, the highest.
|
# ? Jan 21, 2015 13:25 |
|
I retract what I said and replace it with "o jeez"
|
# ? Jan 21, 2015 15:34 |
|
https://rhn.redhat.com/errata/RHSA-2015-0069.html A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601) Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593)
|
# ? Jan 21, 2015 15:52 |
|
thank goodness I am forever stuck on java 7 due to poo poo devs and these CVE's don't apply to me!
|
# ? Jan 21, 2015 16:16 |
|
https://rhn.redhat.com/errata/RHSA-2015-0068.html here's the java 7 version of that list
|
# ? Jan 21, 2015 16:19 |
|
are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target
|
# ? Jan 21, 2015 16:24 |
|
Shinku ABOOKEN posted:are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target
|
# ? Jan 21, 2015 16:25 |
|
why even the gently caress are they using doubleclick tracking I just can't even Raluek posted:his lol
|
# ? Jan 21, 2015 16:40 |
|
Shinku ABOOKEN posted:are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target you'll notice virtually all the exploits pertain to untrusted code running in the sandbox it's not like anyone else has really solved the problem of downloading untrusted code from the internet and executing it safely. (google thinks they have, but lol)
|
# ? Jan 21, 2015 16:47 |
|
also, beyond the fundamental issue of lol sandboxing: client-side java is dead. oracle doesn't really care about client side java and penetration rates have fallen through the floor. (sure, most desktops still have java plugins / java web start, but no mobile devices do)
|
# ? Jan 21, 2015 16:49 |
|
isnt chrome like getting rid of java (and iirc unity embed) support within the year or did i imagine that
|
# ? Jan 21, 2015 16:53 |
|
i uninstalled java on my desktop pc ages ago and haven't missed it once
|
# ? Jan 21, 2015 16:59 |
Jewel posted:isnt chrome like getting rid of java (and iirc unity embed) support within the year or did i imagine that
|
|
# ? Jan 21, 2015 17:04 |
|
chrome blocking npapi is ridiculous chrome will still have lovely plugins, they are just trying to force everyone to use chrome's proprietary plugin architecture: "native messaging" and "native client." nacl and messaging have failed to set the world on fire because it turns out that people don't want to invest time/money on a codebase that can only support one browser, ever.
|
# ? Jan 21, 2015 17:12 |
|
yet its rumored that the new ie (spartan) will support chrome native plugins
|
# ? Jan 21, 2015 17:41 |
|
Shinku ABOOKEN posted:are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target both. it's a big popular target which is technically and architecturally poo poo
|
# ? Jan 21, 2015 17:43 |
|
is minecraft still java
|
# ? Jan 21, 2015 18:42 |
Pinterest Mom posted:is minecraft still java
|
|
# ? Jan 21, 2015 19:10 |
|
anthonypants posted:uhhhhhhhh this is kind of a security fuckup Social Engineering will work forever.
|
# ? Jan 21, 2015 19:20 |
|
quote:Product & Service Introduction:
|
# ? Jan 21, 2015 19:21 |
|
Wittle babbys first ddos tool
|
# ? Jan 21, 2015 19:31 |
|
5
|
# ? Jan 21, 2015 19:33 |
oh yeah, we can start security fuckup forecast 2015 in case you missed presentation of poop x windows-as-a-service
|
|
# ? Jan 21, 2015 19:33 |
|
5
|
# ? Jan 21, 2015 19:57 |
|
Hack the DDoS website so that it unleashes patches to all the hacked routers it uses.
|
# ? Jan 21, 2015 21:57 |
|
Shinku ABOOKEN posted:are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target Java is the malware compatibility layer for... everything.
|
# ? Jan 21, 2015 22:08 |
|
quote:Write Once, Poop Anywhere
|
# ? Jan 21, 2015 22:43 |
|
Please don't mock my code style tia
|
# ? Jan 21, 2015 22:45 |
|
So I am at an afternoon thing on writing secure applications and the presenter just suggested using AES to store passwords. I am about to leave.
|
# ? Jan 21, 2015 23:52 |
|
a couple years ago someone made a site with a JavaScript emulation of a custom microcontroller that powered a bunch of virtual devices you had to hack, complete with data sheets for everything. is that site still around? I don't remember what it's called
|
# ? Jan 21, 2015 23:56 |
|
Luigi Thirty posted:a couple years ago someone made a site with a JavaScript emulation of a custom microcontroller that powered a bunch of virtual devices you had to hack, complete with data sheets for everything. is that site still around? I don't remember what it's called ruckingenur and matasano microcorruption come to mind
|
# ? Jan 21, 2015 23:58 |
|
OSI bean dip posted:So I am at an afternoon thing on writing secure applications and the presenter just suggested using AES to store passwords.
|
# ? Jan 22, 2015 00:01 |
|
OSI bean dip posted:So I am at an afternoon thing on writing secure applications and the presenter just suggested using AES to store passwords. owned minato posted:Are you objecting because they should have suggested a one-way hash, or because it's for a keystore like Keepass/Lastpass and you have a problem with AES? probably the first one, a keystore is an exception rather than the rule
|
# ? Jan 22, 2015 00:06 |
|
spankmeister posted:i uninstalled java on my desktop pc ages ago and haven't missed it once the supermicro (aten) ipmi ikvm dealy in one of my machines needs java to control the virtual console. i wonder how terribly insecure it is. good thing its not dmzd or anything
|
# ? Jan 22, 2015 00:07 |
OSI bean dip posted:So I am at an afternoon thing on writing secure applications and the presenter just suggested using AES to store passwords.
|
|
# ? Jan 22, 2015 00:07 |
|
minato posted:Are you objecting because they should have suggested a one-way hash, or because it's for a keystore like Keepass/Lastpass and you have a problem with AES? It was for a web app. I asked him about it during Q&A and he was like "oh I thought AES 2 worked.".
|
# ? Jan 22, 2015 00:07 |
|
|
# ? Jun 7, 2024 14:49 |
|
Raluek posted:the supermicro (aten) ipmi ikvm dealy in one of my machines needs java to control the virtual console. i wonder how terribly insecure it is. good thing its not dmzd or anything Yeah supermicro has a stand alone version of their terrible software available complete with packaged java. when I still dealt with supermicro I used that.
|
# ? Jan 22, 2015 00:12 |