Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 20 Oct 2017 10:33:46 +0700
From: Tellier Benoit <>
Subject: Announce: Apache James 3.0.1 security release

I, in the name of Apache James PMCs, am glad to announce you the release
version 3.0.1 of Apache James server.

It fixes vulnerability described in CVE-2017-12628. The JMX server, also
used by the command line client is exposed to a java de-serialization
issue, and thus can be used to execute arbitrary commands. As James
exposes JMX socket by default only on local-host, this vulnerability can
only be used for privilege escalation.

Release 3.0.1 upgrades the incriminated library.

Note that you can take additional defensive steps in order to mitigate
this vulnerability:

 - Ensure that you restrict the access to JMX only on local-host

 - Ensure that you are using a recent Java Run-time Environment. For
instance OpenJDK 8 u111 is vulnerable but OpenJDK 8 u 141 is not.

 - You can additionally run James in a container to limit damages of
potential exploits

 - And of course upgrade to the newest 3.0.1 version.

Best regards,

Benoit Tellier

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.