Date: Fri, 20 Oct 2017 10:33:46 +0700 From: Tellier Benoit <btellier@...che.org> To: oss-security@...ts.openwall.com Subject: Announce: Apache James 3.0.1 security release I, in the name of Apache James PMCs, am glad to announce you the release version 3.0.1 of Apache James server. It fixes vulnerability described in CVE-2017-12628. The JMX server, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. Note that you can take additional defensive steps in order to mitigate this vulnerability: - Ensure that you restrict the access to JMX only on local-host - Ensure that you are using a recent Java Run-time Environment. For instance OpenJDK 8 u111 is vulnerable but OpenJDK 8 u 141 is not. - You can additionally run James in a container to limit damages of potential exploits - And of course upgrade to the newest 3.0.1 version. Best regards, Benoit Tellier
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.