My problem is very absurd but really I checked many times before I write here. I have a web application. We developed it with Spring 3.2 and we are deploying it on WebLogic. jdk version is 1.7.0_79 and WebLogic version is 12.1.x. I am using Windows 8 and because of security policies of my company my computer is very slow and irritating (anti virus program, hdd encryption etc.). I decided to install Oracle Virtual Box and Oracle Linux 7 as guest OS on VirtualBox. I installed same version jdk and WebLogic for guest OS.
After prepared my dev environment I came across a deployment failure which says bean create exception (because of circular reference). I checked the code and I noticed there is really a circular reference. But when I build the project on Windows there is no problem. I compared class by class but there is no difference between two. For testing I removed Inject annotation from the field causing circular reference and I could deploy project. That is if I build same code in Linux I can not deploy it neither on Linux nor on Windows.
I extracted two war files and copied classes from war generated on Windows to other and it worked again. I know this is very strange but I tried every combination to be sure.
Related
I have read a lot about how bad this issue is and understand the options available to locate it within the code our company is producing and update servers that are using vulnerable versions.
What I am unable to find is if a particular server does not have Java installed i.e. if I log in as root and run java -version and get java: command not found is this server completely safe from this issue and so I can move on?
My initial instinct was: no Java - no issue. However, GitHub released an update for their Enterprise servers stating:
CRITICAL: A remote code execution vulnerability in the Log4j library, identified as CVE-2021-44228, affected all versions of GitHub Enterprise Server prior to 3.3.1. The Log4j library is used in an open-source service running on the GitHub Enterprise Server instance. This vulnerability was fixed in GitHub Enterprise Server versions 3.0.22, 3.1.14, 3.2.6, and 3.3.1. For more information, please see this post on the GitHub Blog.
And yet Java is not installed on their enterprise server.
I am guessing the offending service must be with Java running in a docker container. So I think I need to consider Java on the machine or Java running in a container.
Are there other hidden ways I have not considered in which this log4j process can be running?
log4j2 is a library that must be used by a running java process, to be vulnarable. But you are right, that checking if the java command is installed to the command line is not enough.
Here are two options (not meant to be complete), how your system could still be vulnerable without having the java command available on the command line.
Java could be downloaded into a directory without adding the java command or directory to the executable PATH. By using a .bash (or .bat) script a java process pointing to the downloaded java version could still be started. But when the directory is not added to the path, you will not find the java command enabled.
Java could be running inside of a docker container. the java command would only be available inside of your docker container but not visible from outside. I am not sure if an additional exploit would be required to break out of the container of if this is easily possible without extra effort.
I don't have a full answer yet but very definitely NO you are not safe even if Java is not installed, and Docker is not installed, and Java is not running in the process list, and Java is not in your yum/apt installed applications lists.
An obvious case I had not considered is when Java is added to an app as a JRE.
A Coverity platform server we have does not install Java but Java is running e.g. ps -ax | grep java
/home/coverity/cov_platform-2021.9.0/jre/bin/java -Djava.awt.headless=true -Djdk.tls......
Working out if a vulnerable version of Log4j is included in that JRE is much harder.
Further, just checking the process list is not enough either. In this case the process list contained java but Java may only be run when triggered by another process e.g. cron, nginx, etc
I am trying to setup a development box based on Fedora 23. I am using Eclipse Mars for development, and Wildfly 8 application server. The goal is to be able to use Eclipse and Wildfly together, using only the system-provided rpm packages.
The problem: I cannot use Wildfly from Eclipse, because the server is in /usr/share, and owned by root. This is understandable, even preferable. AFAIK I should use wildfly-cp to create an environment, which can be used to run Wildfly as a normal user. However, I could not manage to do so yet.
I am looking for detailed instructions how to make it work from Eclipse.
I have a problem that allegedly isn't possible, so I'm having a heck of a time finding an answer.
I have the latest version of NetBeans 7.4, running on fully-updated Fedora 20 x64. Officially, this can work with JavaFX. Period. I have both the JDK from the repo (1.7.something) and the very latest version I could find (1.8.0). Officially, these have JavaFX with them. Period.
If I try to create a new JavaFX project, it has this to say:
Failed to automatically set-up a JavaFX Platform.
Please go to Platform Manager, create a non-default Java SE platform, then go to the JavaFX tab,
enable JavaFX and fill in the paths to valid JavaFX SDK and JavaFX Runtime.
Note: JavaFX SDK can be downloaded from JavaFX website.
Well alright, I'm used to things getting confused, I think I can fix this. Go create a new platform, and... there's no "JavaFX" tab. It took a bit of research to even find out what it was talking about, and in the process I discovered that the tab has actually been removed from 7.4. Because NetBeans 7.4 will absolutely, definitely recognize JavaFX automatically. Period.
Going to the actual JavaFX site tells me, as expected, that it's bundled with the Java SE 7 JDK I already have. Period.
Since the end result I'm after could technically be achieved by integrating one JavaFX component into my Swing application, I attempted that, but NetBeans still can not find anything related to JavaFX and therefore yells at me if I try to import such a thing.
So, given that things that are supposed to just plain work just plain aren't... where can I go from here?
Currently in Debian and Ubuntu (probably others) JavaFX is a separate package from the OpenJDK (openjdk-8-jdk) and so needs to be installed:
sudo apt-get install libopenjfx-java libopenjfx-java-doc
Notable issue (this issue does not impact a Maven, JavaFX application so if that is your preferred build method then ignore the following issue):
If you try to create a new project:
Categories > JavaFX
Project > JavaFXApplication
You'll get:
Internal error. Missing resources [/resources/web-files/javafx-loading-100x100.gif]
/home/ken/NetBeansProjects/vestFxReports/nbproject/jfx-impl.xml:1465: The following error occurred while executing this line:
/home/ken/NetBeansProjects/vestFxReports/nbproject/jfx-impl.xml:3093: The following error occurred while executing this line:
/home/ken/NetBeansProjects/vestFxReports/nbproject/jfx-impl.xml:2055: Error: -includedt requires the java deployment toolkit, which is not included in this distribution
BUILD FAILED (total time: 1 second)
To fix the above error [following steps are derived from here: http://hongouru.blogspot.com.uy/2015/09/solved-error-building-new-project-using.html]:
Switch to the files tab (usually you're on the Project tab).
Expand the node for your project >
expand the nbproject node > open the "project.properties" file.
Find the line javafx.deploy.includeDT=true and change true to false.
Now you can create and run a JavaFX application, on OpenJDK.
Next steps, although beyond the issue at hand you'll probably at some point want to download the JavaFX scene builder: http://www.oracle.com/technetwork/java/javafxscenebuilder-1x-archive-2199384.html
Apparently, the issue is indeed a discrepancy between the open-source OpenJDK provided by most Linux distributions, and the proprietary Oracle JDK. Ironically, this is a well-known issue, but you have to specifically search for it to find it, and by then you already know.
The solution is to download the official Oracle JDK, and if necessary create the matching platform in NetBeans (located under /usr/java/jdk... at this moment). It should work perfectly fine after that.
Perhaps the official documentation
https://netbeans.org/kb/docs/java/nb_fx_screencast.html
https://netbeans.org/kb/72/java/javafx-setup.html
may help you to set it up
I'm trying to investigate why would my app, written in VC 2008, crash on bare Windows XP with c0000005. It works great on any windows vista and 7. On XP it would crash with no additional info. Below are the details and the result of a few days worth of my headaches, eliminating one reason after another. Here's the details:
I have Win7 ultimate with XP Mode with iexplore 6 and presumably no patches whatsoever.
I install my program and nothing else, since it is supposed to be install-and-run thing with no additional packages needed.
My app has compiled-in VC2008 runtime (using /MT, as opposed to /MD compiler switch)
I'm using firebird embedded, which needs VC2005 (edited, i wrote VC2008 before) libs for itself anyway, so i put them in my app's working dir
when i install VC++ 2008 on this XP Mode machine, it doesn't crash anymore, so debugging this way is impossible
I've narrowed this error's occurence down to the VC2005 runtime - right after i install it my app stops crashing. But i don't know what could be using it's components. When running the release version under VC2008 IDE, nothing shows any vc2005 libs being loaded (weird, if i say so myself).
My app's linker's dependencies lists these (i added only the first two, the rest was there courtesy of VisualStudio): jpeg.lib, gdiplus.lib, kernel32.lib, user32.lib, gdi32.lib, winspool.lib, comdlg32.lib, advapi32.lib, shell32.lib, ole32.lib, oleaut32.lib, uuid.lib, odbc32.lib, odbccp32.lib, comctl32.lib, %(AdditionalDependencies)
I am also using IBPP firebird interface, which loads these dynamically, so they are present in my app's dir (they need msvc?80.dlls):
fbembed.dll, ib_util.dll, icudt30.dll, icuin30.dll, icuuc30.dll, msvcp80.dll, msvcr80.dll
Please advise why would vc2005 runtime be a remedy for my app to not crash on a bare Win XP. Or how could i debug that one without installing vc 2008 on target machine. I'm starting to blame windows xp's components. Ultimately i want my app to not require any additional packages, such as VC2008 or 2005, especially when no component of my app requires the latter.
I am also using IBPP firebird interface ... msvcp80.dll, msvcr80.dll
The answer is in your question, these DLLs are VS2005 runtime support DLLs. They cannot be stored in your exe directory, they must be registered in the side-by-side cache. This does not typically cause an AV, but it isn't impossible if the code doesn't check the return value of LoadLibrary(). You can download an installer for them from Microsoft. It doesn't otherwise have anything to do with Windows XP, you just happened to try to run this program on machines that already had the DLLs installed. Very common on a dev machine for example.
If you don't want a dependency on them then you'll have to rebuild those DLLs that require it. Which is a good idea, having a dependency on more than one version of the CRT is pretty unhealthy.
If you are wondering why you are having to deal with this: it was Microsoft's attempt to put DLL Hell in the developer's lap instead of the user's. They've since withdrawn this, VS2010 again makes it a user problem. That was a pretty big party in Bangalore, I'd imagine.
I have installed the Netbeans 6.7 IDE with Java ME included, but cannot create a Mobile Application project from the Java ME category. When I select the project type the wizard stops at "Finding Feature" with the message:
Not all requested modules can be enabled:
[StandardModule:org.netbeans.modules.mobility.end2end.kig jarFile:C:\Program Files\NetBeans 6.7\mobility8\modules\org-netbeans-modules-mobility-end2end-kit.jar.
I am attempting to run this on Vista Home Premium. I have tried to run the IDE as Administrator with no luck.
I am at a loss for where to go next as I cannot seem to find any information regarding this issue. Even if you don't have the solution any insight into this error message would be helpful.
I am unable so far to get the project running via the Netbeans IDE install. I have, for the time being, installed the Java ME SDK which includes a very stripped down version of the Netbeans IDE for mobile development.
I originally had some issues starting the SDK as well on Vista. The IDE reported that it could not connect to the device manager on localhost. After some searching I found this link: Java ME SDK Startup Problem which suggests changing the hosts file localhost entry from IPv6 to IPv4. The fix worked perfectly and I can now compile and run code in the emulator.
This is not an optimal solution as the SDK does not include the visual design tools, however I am able to get a basic project going in the mean time.
I have given up on the 6.7 version and have instead located and installed 6.5.1. This previous version has been working just fine and seems to do everything I need.
I ran into the exact same error today while installing NB 6.8 beta. To resolve it we need to install two plugins:
Java Web Applications (as mentioned by Ali above) and
Sun Java System Web Server 7.0
Note that these two are part of the Category called "Java Web and EE" hence the confusion that we need to install Glassfish App Server. But we need these two plugins because they are required for debugging using breakpoints in emulator. Netbeans runs a web server when we do breakpoint based debugging.
Also note that the Java Web applications needs SOAP Web Services and JavaScript Debugger plugins to run and so these plugins are also installed when you try to install it.
You also need to install "Java Web Applications" plugin.
Tools->Plugins->Available Plugins
If the module is present, you should try unzipping it to check its content makes sense.
You should also be able to rebuild it from Netbeans sources.
You can also try to figure out why this happens by debugging the module loader inside Netbeans from its sources, using another IDE, presumably the latest version of Netbeans you can find without the issue.
If the module is missing, you might want to get the missing jar file from an installation of a previous version of Netbeans, see if it is compatible.
6.5.1 isn't missing any module.
back in version 5.5, the mobility module had to be downloaded and installed separately from the main IDE.
If you want to consider using Eclipse for developing your J2ME app...I've written a post related to that some time ago: here.