I have read a lot about how bad this issue is and understand the options available to locate it within the code our company is producing and update servers that are using vulnerable versions.
What I am unable to find is if a particular server does not have Java installed i.e. if I log in as root and run java -version and get java: command not found is this server completely safe from this issue and so I can move on?
My initial instinct was: no Java - no issue. However, GitHub released an update for their Enterprise servers stating:
CRITICAL: A remote code execution vulnerability in the Log4j library, identified as CVE-2021-44228, affected all versions of GitHub Enterprise Server prior to 3.3.1. The Log4j library is used in an open-source service running on the GitHub Enterprise Server instance. This vulnerability was fixed in GitHub Enterprise Server versions 3.0.22, 3.1.14, 3.2.6, and 3.3.1. For more information, please see this post on the GitHub Blog.
And yet Java is not installed on their enterprise server.
I am guessing the offending service must be with Java running in a docker container. So I think I need to consider Java on the machine or Java running in a container.
Are there other hidden ways I have not considered in which this log4j process can be running?
log4j2 is a library that must be used by a running java process, to be vulnarable. But you are right, that checking if the java command is installed to the command line is not enough.
Here are two options (not meant to be complete), how your system could still be vulnerable without having the java command available on the command line.
Java could be downloaded into a directory without adding the java command or directory to the executable PATH. By using a .bash (or .bat) script a java process pointing to the downloaded java version could still be started. But when the directory is not added to the path, you will not find the java command enabled.
Java could be running inside of a docker container. the java command would only be available inside of your docker container but not visible from outside. I am not sure if an additional exploit would be required to break out of the container of if this is easily possible without extra effort.
I don't have a full answer yet but very definitely NO you are not safe even if Java is not installed, and Docker is not installed, and Java is not running in the process list, and Java is not in your yum/apt installed applications lists.
An obvious case I had not considered is when Java is added to an app as a JRE.
A Coverity platform server we have does not install Java but Java is running e.g. ps -ax | grep java
/home/coverity/cov_platform-2021.9.0/jre/bin/java -Djava.awt.headless=true -Djdk.tls......
Working out if a vulnerable version of Log4j is included in that JRE is much harder.
Further, just checking the process list is not enough either. In this case the process list contained java but Java may only be run when triggered by another process e.g. cron, nginx, etc
From what I see oracle jdk isn't present in all major linux distros.
There's only openjdk version. So if you want to use oracle, the only option is to download jdk from http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html and configure it manually.
Openjdk and oracle version are almost identical except some parts (some closed source third party components like a graphics rasterizer, some open source third party components).
Which jvm servers use in production and how they intall and update jvm/jdk if it's oracle
version? (With openjdk it's easy with package manager)
Which jvm/jdk do you use in dev and prod in linux?
It seems to me like java environment is a second class citizen in linux.
Which JVM servers are used in production and how do
they install and update JVM/JDK if it's Oracle version?
The Oracle JVM is used in PROD. For PROD (and not only),
usually manual installations take place.
Which JVM/JDK do you use in DEV and PROD in linux?
Again the Oracle one (for both DEV and PROD).
The above answers are based simply on my experience
(that is I don't claim these to be some best practices).
I am thinking of kicking off a JavaFX project on my 64-bit Windows 7 machine. What I am doing is designing a full-screen console application. It's not interactive aside from a barcode scanner.
I'm designing this for what I think would be an Ubuntu laptop or some other Linux variation, although a different Windows OS is a possibility too (as well as 32 bit). From what I understand Java FX version 2.x has made great advancements in portability from its predecessor, but I wanted to ask the community here what their experience was in deploying JavaFX apps.
Have you had success using them on a variety of different architectures? What are some problems you have encountered?
Checkout EstiMate for an example of an all-in-one jar which is runnable via double click.
https://bitbucket.org/atill/estimate/downloads
It requires Java7u10 installed. I plan to make a proper installer for it later on, using the javafx maven plugin. https://github.com/zonski/javafx-maven-plugin. I haven't tested it on Linux or Mac but it does work across winXP 32bit and 64bit windows7.
As long as your barcode scanner works the same on ubuntu as on win and you are not using any external libraries, you won't notice the difference between those systems from your app.
I found installing oracle JRE on ubuntu the most difficult task. (with JRE_HOME, etc.) Even on Archlinux was easier than ubuntu.
Nevertheless, once the JRE is set, your app will run even on Raspberry Pi (which is ARM not x86)
Remember about file system differences between systems.
I made my application as install setup by install shield 5.0 on 32bit machine but before that i migrated my application into 64bit. after installed my application on 64bit machine, my application registry values are gone into under wow6432 node as HKLM\SOFTWARE\Wow6432Node(myapplication) but my application trying to read those values from HKLM\SOFTWARE(myapplication). could you please where is the wrong. what shall i do this case.
thanks,
KAM
Your install is 32-bit and it automatically writes to Wow6432Node on 64-bit system. You need to disable registry reflection or to directly write to 64-bit registry key (I don't know how to do that on install shield, but you should find it in the manual, search for Registry Reflection).
See my answer here on how to explicitly read the 32 or 64-bit 'views' of the registry. You have a few options depending on your situation - you can make the 32-bit version read the 64-bit view (so it'll use HKLM/Software. This means that you won't need to change the installer) or you could force the 64-bit version read the 32-bit view (this may be better if you need different options in the 32 and 64-bit versions)
We are getting new dev machines and moving up to Vista 64 Ultimate to take advantage of our 8gb ram. Our manager wants us to do all dev in 32bit virtual machines to make sure there will be no problems with our code moving into production.
Is there any way to guarantee the resultant programs will work on 32bit os's?
I don't mind using virtual machines, but I don't like how they force you back into a "Single" monitor type view. I like moving my VS toolbars off to my other monitor.
EDIT: We are using Visual Studio 2005 and 2008, VB.NET and/or C#
EDIT: Using Harpreet's answer, these are the steps I used to set my Visual Studio IDE to compile x86 / 32bit:
Click Build and open Configuration Manager
Select Active Solution Platform drop down list
Select x86 if it is in the list and skip to step 5, if not Select <New...>
In the New Solution Platform dialog, select x86 and press OK
Verify the selected platform for all of your projects is x86
Click Close.
Enjoy.
Thank you,
Keith
I do development on 64 bit machines for 32 bit Windows. It's not a problem. You should make sure that your projects are set to compile in x86 mode in order to be conservative. You'll want to go through each project in the solution and double check this. You could also use the AnyCPU setting but that's a little riskier since it will run differently on your dev machine than a 32 bit machine. You want to avoid the 64bit mode, of course.
The problems I've run into are drivers that don't work when the app is compiled for 64 bit (explicitly 64 bit or AnyCPU compiled and running on 64 bit Windows). Those problems are completely avoidable by sticking with x86 compilation. That should reveal all flaws on your dev machines.
Ideally, you could set up a build and test environment that could be executed against frequently on a 32 bit machine. That should reassure your management and let you avoid the VM as your desktop.
As long as you compile your executables as 32 bit, they will run on both 32 bit and 64 Windows machines (guaranteed). Using 64 dev machines has the advantage that you can start testing your code with 64 bit compilation (to check for things like pointers casted to 32 bit integers), this way making the transition to 64 bit easier in the future (should you your company choose to do a 64 bit version).
Compiling for a 64bit OS is an option in the compiler. You can absolutely compile to a 32bit exe from within Vista 64 bit. When you run the app, you can then see in the TaskManager that there is a "*32" next to the process...this means it's 32bit ;)
I believe your managers need some more education on what 64bit OS really means :)
Not an answer to your question, but possibly a solution to your problem: VirtualBox (and probably others) supports "seamless integration" mode, which just gives you a second start bar and lets you drag windows around freely.
Also, and this is an answer to your question, it depends on your compile settings. You can compile for different environments, and you can perfectly compile 32-bit programs on a 64-bit system with Visual Studio. Can't tell you how, but I'm sure some Visual Studio guru could help you out.
We develop a 32-bit application using VS 2005 (2008 soon) and have just purchased some new machines with XP Pro x64 or Vista Business 64-bit on them so that we can take advantage of the extra RAM whilst holding a watching brief on the possibility of doing a 64-bit port if it becomes commercially necessary to do so. We haven't had any problems with doing this other than tweaking some scripts in our development environment etc.
Those developers who weren't included in this upgrade cycle still use 32-bit machines, so these should pick up problems when the unit tests and the application test suite are run as a matter of course before a check-in.
What we also do is to make sure that we have a set of "test build" machines made up of "typical" configurations (XP/Vista, 2/4/8 cores, etc.) that build and test sets of check-ins - we have various different test suites for stability, performance, etc. - before they are added to the integration area proper. Again, these haven't picked up any problems with running a 32-bit application built on a 64-bit OS.
Anyway, as others have already said, I wouldn't expect it to be a problem because it's the compiler that generates the appropriate code for the target OS regardless of the OS that the compiler is actually running on.
yeah, like adam was saying. There's 3 options: MSIL (default), x64, and x86. You can target x64 and it will generate dll's specifically for 64-bit systems, or you can do x86 which will run on 32-bit and 64-bit, but will have the same restrictions as 32-bit on a 64-bit system.
MSIL will basically let the JITer issue the platform specific instruction (at a slight performance penalty compared to a native image)
EDIT: no language, so i'm talking about .net framework languages like vb.net and c#, c++ is a completely different animal.
Found this today:
http://www.brianpeek.com/blog/archive/2007/11/13/x64-development-with-net.aspx
x64 Development with .NET
Earlier this year I made the switch to a 64-bit operating system - Vista Ultimate x64 to be exact. For the most part, this process has been relatively painless, but there have been a few hiccups along the way (x64 compatible drivers, mainly, but that's not the point of this discussion).
In the world of x64 development, there have been a few struggling points that I thought I'd outline here. This list will likely grow, so expect future posts on the matter.
In the wonderful world of .NET development, applications and assemblies can be compiled to target various platforms. By default, applications and assemblies are compiled as Any CPU in Visual Studio. In this scenario, the CLR will load the assembly as whatever the default target is for the machine it is being executed on. For example, when running an executable on an x64 machine, it will be run as a 64-bit process.
Visual Studio also provides for 3 specific platform targets: x86, x64 and Itanium (IA-64). When building an executable as a specific target, it will be loaded as a process of that type. For example, an x86-targeted executable run on an x64 machine will run as a 32-bit process using the 32-bit CLR and WOW64 layer. When assemblies are loaded at runtime, they can only be loaded by a process if their target matches that of the hosting process, or it is compiled as Any CPU. For example, if x64 were set as the target for an assembly, it can only be loaded by an x64 process.
This has come into play in a few scenarios for me:
XNA - XNA is available as a set of 32-bit assemblies only. Therefore, when referencing the XNA assemblies, the executable/assembly using them must be targeted to the x86 platform. If it is targeted as x64 (or as Any CPU and run on a 64-bit machine), an error will be thrown when trying to load the XNA assemblies.
Microsoft Robotics Studio - The XInputGamepadService uses XNA internally to talk to the Xbox 360 controller. See above.
Managed DirectX - While this is already deprecated and being replaced with XNA, it still has its uses. The assemblies are not marked for a specific target, however I had difficulty with memory exceptions, especially with the Microsoft.DirectX.AudioVideoPlayback assembly.
Phidgets - Depending on what library you download and when, it may or may not be marked as 32-bit only. The current version (11/8/07) is marked as such, and so requires a 32-bit process to host it.
The easiest way to determine if an executable or assembly is targeted to a specific platform is to use the corflags application. To use this, open a Visual Studio Command Prompt from your Start menu and run it against the assembly you wish to check.
The easiest way to determine if an executable or assembly is targeted to a specific platform is to use the corflags application. To use this, open a Visual Studio Command Prompt from your Start menu and run it against the assembly you wish to check.