I have read a lot about how bad this issue is and understand the options available to locate it within the code our company is producing and update servers that are using vulnerable versions.
What I am unable to find is if a particular server does not have Java installed i.e. if I log in as root and run java -version and get java: command not found is this server completely safe from this issue and so I can move on?
My initial instinct was: no Java - no issue. However, GitHub released an update for their Enterprise servers stating:
CRITICAL: A remote code execution vulnerability in the Log4j library, identified as CVE-2021-44228, affected all versions of GitHub Enterprise Server prior to 3.3.1. The Log4j library is used in an open-source service running on the GitHub Enterprise Server instance. This vulnerability was fixed in GitHub Enterprise Server versions 3.0.22, 3.1.14, 3.2.6, and 3.3.1. For more information, please see this post on the GitHub Blog.
And yet Java is not installed on their enterprise server.
I am guessing the offending service must be with Java running in a docker container. So I think I need to consider Java on the machine or Java running in a container.
Are there other hidden ways I have not considered in which this log4j process can be running?
log4j2 is a library that must be used by a running java process, to be vulnarable. But you are right, that checking if the java command is installed to the command line is not enough.
Here are two options (not meant to be complete), how your system could still be vulnerable without having the java command available on the command line.
Java could be downloaded into a directory without adding the java command or directory to the executable PATH. By using a .bash (or .bat) script a java process pointing to the downloaded java version could still be started. But when the directory is not added to the path, you will not find the java command enabled.
Java could be running inside of a docker container. the java command would only be available inside of your docker container but not visible from outside. I am not sure if an additional exploit would be required to break out of the container of if this is easily possible without extra effort.
I don't have a full answer yet but very definitely NO you are not safe even if Java is not installed, and Docker is not installed, and Java is not running in the process list, and Java is not in your yum/apt installed applications lists.
An obvious case I had not considered is when Java is added to an app as a JRE.
A Coverity platform server we have does not install Java but Java is running e.g. ps -ax | grep java
/home/coverity/cov_platform-2021.9.0/jre/bin/java -Djava.awt.headless=true -Djdk.tls......
Working out if a vulnerable version of Log4j is included in that JRE is much harder.
Further, just checking the process list is not enough either. In this case the process list contained java but Java may only be run when triggered by another process e.g. cron, nginx, etc
Related
Our project is deploying under the tomcat9.
There is a potential memory leaking issue I'm investigating.
I have experience in Jprofiler8 to solve similar issues, but JP8 doesn't work on Tomcat9.
I googled that perhaps Jp10 supports Tomcat9 although I don't find out the Tomcat9 option in server list.
Which version of Jprofiler supports Tomcat9?
Or could you please recommend me other good tools?
Thanks.
I use eclipse 4.6 to integrate with JProfiler 10.1.4, and startup server by eclipse with profile mode. The JProfile can be executed, but cannot connect to my Tomcat9 server.Jprofiler Error Message
The Eclipse console is Eclipse Jprofiler argument
Yes, JProfiler 10 supports Tomcat 9. "Support" in this case is more relevant for the profiled JVM than for the particular servlet container.
I have got jar compiled in java 1.8 from maximo dir and on my machine i have java 1.7 installed do i need to update my machine java before i run this jar. I can not run it before knowing this since it will get recorded in some logs and will update some server side files.
This is more of a Java question than a Maximo question, but no, it will not. You will get an "Unsupported major.minor version 52.0" if you do. This is not because of any features issue, this is simply because the bytecode is tagged as being from Java 8 and so earlier JREs will not run it.
Now this assumes you actually compiled the class files using Java 8, which probably only happened if you have custom code in there. If you are just using the out-of-the-box Maximo classes, those came pre-compiled (in I don't recall which version of Java) and so all you might have done was to bundle them into a jar, or more likely into the Maximo ear (since you don't run the businessobjects.jar). In that case, it doesn't matter what version of Java you used to created the jar/ear, it will run on any version of Java that is the same as or higher than whatever version IBM used to compile the code into classes.
My problem is very absurd but really I checked many times before I write here. I have a web application. We developed it with Spring 3.2 and we are deploying it on WebLogic. jdk version is 1.7.0_79 and WebLogic version is 12.1.x. I am using Windows 8 and because of security policies of my company my computer is very slow and irritating (anti virus program, hdd encryption etc.). I decided to install Oracle Virtual Box and Oracle Linux 7 as guest OS on VirtualBox. I installed same version jdk and WebLogic for guest OS.
After prepared my dev environment I came across a deployment failure which says bean create exception (because of circular reference). I checked the code and I noticed there is really a circular reference. But when I build the project on Windows there is no problem. I compared class by class but there is no difference between two. For testing I removed Inject annotation from the field causing circular reference and I could deploy project. That is if I build same code in Linux I can not deploy it neither on Linux nor on Windows.
I extracted two war files and copied classes from war generated on Windows to other and it worked again. I know this is very strange but I tried every combination to be sure.
I am trying to setup a development box based on Fedora 23. I am using Eclipse Mars for development, and Wildfly 8 application server. The goal is to be able to use Eclipse and Wildfly together, using only the system-provided rpm packages.
The problem: I cannot use Wildfly from Eclipse, because the server is in /usr/share, and owned by root. This is understandable, even preferable. AFAIK I should use wildfly-cp to create an environment, which can be used to run Wildfly as a normal user. However, I could not manage to do so yet.
I am looking for detailed instructions how to make it work from Eclipse.
I have installed the Netbeans 6.7 IDE with Java ME included, but cannot create a Mobile Application project from the Java ME category. When I select the project type the wizard stops at "Finding Feature" with the message:
Not all requested modules can be enabled:
[StandardModule:org.netbeans.modules.mobility.end2end.kig jarFile:C:\Program Files\NetBeans 6.7\mobility8\modules\org-netbeans-modules-mobility-end2end-kit.jar.
I am attempting to run this on Vista Home Premium. I have tried to run the IDE as Administrator with no luck.
I am at a loss for where to go next as I cannot seem to find any information regarding this issue. Even if you don't have the solution any insight into this error message would be helpful.
I am unable so far to get the project running via the Netbeans IDE install. I have, for the time being, installed the Java ME SDK which includes a very stripped down version of the Netbeans IDE for mobile development.
I originally had some issues starting the SDK as well on Vista. The IDE reported that it could not connect to the device manager on localhost. After some searching I found this link: Java ME SDK Startup Problem which suggests changing the hosts file localhost entry from IPv6 to IPv4. The fix worked perfectly and I can now compile and run code in the emulator.
This is not an optimal solution as the SDK does not include the visual design tools, however I am able to get a basic project going in the mean time.
I have given up on the 6.7 version and have instead located and installed 6.5.1. This previous version has been working just fine and seems to do everything I need.
I ran into the exact same error today while installing NB 6.8 beta. To resolve it we need to install two plugins:
Java Web Applications (as mentioned by Ali above) and
Sun Java System Web Server 7.0
Note that these two are part of the Category called "Java Web and EE" hence the confusion that we need to install Glassfish App Server. But we need these two plugins because they are required for debugging using breakpoints in emulator. Netbeans runs a web server when we do breakpoint based debugging.
Also note that the Java Web applications needs SOAP Web Services and JavaScript Debugger plugins to run and so these plugins are also installed when you try to install it.
You also need to install "Java Web Applications" plugin.
Tools->Plugins->Available Plugins
If the module is present, you should try unzipping it to check its content makes sense.
You should also be able to rebuild it from Netbeans sources.
You can also try to figure out why this happens by debugging the module loader inside Netbeans from its sources, using another IDE, presumably the latest version of Netbeans you can find without the issue.
If the module is missing, you might want to get the missing jar file from an installation of a previous version of Netbeans, see if it is compatible.
6.5.1 isn't missing any module.
back in version 5.5, the mobility module had to be downloaded and installed separately from the main IDE.
If you want to consider using Eclipse for developing your J2ME app...I've written a post related to that some time ago: here.