WebLogic Server, Apache Commons and You

Oracle released Security Alert CVE-2015-4852 last night, their official security response to a much-publicized vulnerability with certain usage of the Apache Commons library with the major J2EE application servers.

If you have access to the Oracle Support Network, the best reference is https://support.oracle.com/rs?type=doc&id=2076338.1.

For an Apache POV of the situation, I suggest https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread.

Infoworld has a calmer dissertation of the issue at http://www.infoworld.com/article/3003197/security/library-misuse-exposes-leading-java-platforms-to-attack.html.

I personally heard about this first from /., where this is an informative thread (with the usual trolling between) at http://developers.slashdot.org/story/15/11/08/0346258/vulnerability-in-java-commons-library-leads-to-hundreds-of-insecure-applications.

© Scott S. Nelson

Early Morning Security Ramblings

Posting it here for those that don’t belong to LinkedIn or subscribe to Answers there:

Q:  Which Tastes Better for Security, Java or .NET?

Both this two languages are safe by security point of view with their own levels, but which one tastes better w.r.t your working experience?

A:  As others have noted, the security of the individual applications written in these languages depends on the development approach used. The next level from their is the application servers, which really depends on the app server vendor for Java and again back to the developer and the server admin. And, of course, the servers sit inside an operating system, which adds another layer of vulnerability. This is point where the earlier poster who noted that Microsoft is more often the target comes in to play. Microsoft is more often targeted, which increases the likelihood of someone trying to break in. However, the biggest threat is admins and/or policies that prevent keeping up to date on patches. Then there is the architecture as a whole, where there are points in the network, structure of the firewalls and accessibility of data. There are still plenty of admin servers that have the default log in credentials set.

Then again, the vast majority of real digital break ins come from the hacker knowing passwords in advance, which is an issue that is platform independent 🙂

© Scott S. Nelson