Closed Bug 1183369 Opened 5 years ago Closed 5 years ago

Blocklist Java plugin up to Version 8 Update 45 and Version 7 Update 80

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
2015-07

People

(Reporter: jorgev, Assigned: jorgev)

References

Details

All current versions of the Java plugin are vulnerable to a publicly disclosed vulnerability: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Oracle plans to release an update tomorrow, but this might require an immediate block.
QA Contact: kjozwiak
Summary: Blocklist Java plugin up to Version 8 Update 45 → Blocklist Java plugin up to Version 8 Update 45 and Version 7 Update 80
The blocks are now staged:

Java Plugin 7 update 79 to 80 (click-to-play), Mac OS X 
https://addons-dev.allizom.org/en-US/firefox/blocked/p752

Java Plugin 8 update 45 (click-to-play), Mac OS X
https://addons-dev.allizom.org/en-US/firefox/blocked/p754

Java Plugin 7 update 79 to 80 (click-to-play), Windows
https://addons-dev.allizom.org/en-US/firefox/blocked/p756

Java Plugin 8 update 45 (click-to-play), Windows
https://addons-dev.allizom.org/en-US/firefox/blocked/p758

Java Plugin 7 update 79 to 80 (click-to-play), Linux
https://addons-dev.allizom.org/en-US/firefox/blocked/p760

Java Plugin 8 update 45 (click-to-play), Linux
https://addons-dev.allizom.org/en-US/firefox/blocked/p762

Kamil, can you please take a look?
Flags: needinfo?(kjozwiak)
Keywords: qawanted
Jorge, I'll take a look first thing in the morning. I've never tested a Java blocklist but hopefully it's similar to the Flash process :)
For what it's worth, I followed https://wiki.mozilla.org/Blocklisting/Testing and everything looks good to me.

Windows 8 using Firefox 38.0 win32
=============
    File: npjp2.dll
    Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll
    Version: 11.45.2.14
    State: Enabled (STATE_VULNERABLE_NO_UPDATE)
    Next Generation Java Plug-in 11.45.2 for Mozilla browsers

    File: npdeployJava1.dll
    Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npdeployJava1.dll
    Version: 11.45.2.14
    State: Enabled (STATE_VULNERABLE_NO_UPDATE)
    NPRuntime Script Plug-in Library for Java(TM) Deploy


Tested:
- Plugin is blocked and "This plugin has security vulnerabilities is displayed? Yes
- Clicking "Activate Java." presents "Allow Now" and "Allow and Remember" door-hanger? Yes
- Clicking "Allow Now" activates the plugin for the current site and session? Yes
- Plugin remains deactivated for other sites within the same session? Yes
- Plugin is deactivated for the same site in a new session? Yes
- Clicking "Allow and Remember" keeps the plugin activated for the same site between sessions? Yes
Windows 8.1 x64 (VM):
=====================

Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-14-03-02-06-mozilla-central/

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Version: 10.80.2.15
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 10.80.2 for Mozilla browsers

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Version: 10.79.2.15
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 10.79.2 for Mozilla browsers

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll
Version: 11.45.2.15
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers

Ubuntu 14.04.2 x64 (VM):
========================

Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-14-00-40-06-mozilla-aurora/

File: libnpjp2.so
Path: /usr/java/jre1.7.0_79/lib/amd64/libnpjp2.so
Version: 10.79.2
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 10.79.2 for Mozilla browsers

File: libnpjp2.so
Path: /usr/java/jre1.7.0_80/lib/amd64/libnpjp2.so
Version: 10.80.2
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 10.80.2 for Mozilla browsers

File: libnpjp2.so
Path: /usr/java/jre1.8.0_45/lib/amd64/libnpjp2.so
Version: 11.45.2
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers

OSX 10.10.4 x64:
================

Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 7 Update 79
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Displays Java applet content, or a placeholder if Java is not installed.

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 7 Update 80
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Displays Java applet content, or a placeholder if Java is not installed.

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 45
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Displays Java applet content, or a placeholder if Java is not installed.

Went through the following test cases:

- used the following link to test the java block: https://www.java.com/verify
- ensured that "Allow" and "Allow and Remember" work correctly
- ensured that "Block Plugin" and "Continue Allowing" work correctly
- ensured that it worked in both e10s & non-e10s (m-c & m-a)
- ensured "is known to be vulnerable. Use with caution. <link>More Information</link>" appears under about:addons when STATE_VULNERABLE_NO_UPDATE
- ensured "More Information" opened the correct link (listed in comment # 1)

Summary:
========

Appears like the block is working as expected. However, they're all appearing as STATE_VULNERABLE_NO_UPDATE even though there's updates available. I'm guessing this is due to our end? Also Jorge, take a look and let me know if I missed something as this is the first time I'm doing a java blocklist (I don't want to miss anything)
Flags: needinfo?(kjozwiak)
It all looks right. I staged the blocks with "update unavailable" since that was the reality at the time. I'll push the blocks live with "update available" in about an hour, unless something else comes up.
> It all looks right. I staged the blocks with "update unavailable" since that
> was the reality at the time. I'll push the blocks live with "update
> available" in about an hour, unless something else comes up.

Would it be worth it going through this again once it hits the live server? This time just checking to make sure that the blocked plugin is appearing as STATE_VULNERABLE_UPDATE_AVAILABLE??
The blocks are now live with update available on:

Java Plugin 7 update 79 to 80 (click-to-play), Mac OS X 
https://addons.mozilla.org/en-US/firefox/blocked/p954

Java Plugin 8 update 45 (click-to-play), Mac OS X
https://addons.mozilla.org/en-US/firefox/blocked/p956

Java Plugin 7 update 79 to 80 (click-to-play), Windows
https://addons.mozilla.org/en-US/firefox/blocked/p958

Java Plugin 8 update 45 (click-to-play), Windows
https://addons.mozilla.org/en-US/firefox/blocked/p960

Java Plugin 7 update 79 to 80 (click-to-play), Linux
https://addons.mozilla.org/en-US/firefox/blocked/p962

Java Plugin 8 update 45 (click-to-play), Linux
https://addons.mozilla.org/en-US/firefox/blocked/p964

Kamil, can you give these a quick look?
Status: NEW → RESOLVED
Closed: 5 years ago
Keywords: qawanted
Resolution: --- → FIXED
Target Milestone: --- → 2015-07
Win 8.1 x64 (VM):
=================

Build used: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/

-----------
Vulnerable:
-----------

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Version: 10.79.2.15
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 10.79.2 for Mozilla browsers

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Version: 10.80.2.15
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 10.80.2 for Mozilla browsers

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll
Version: 11.45.2.15
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers

---------------
Not Vulnerable:
---------------

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll
Version: 11.51.2.16
State: Enabled
Next Generation Java Plug-in 11.51.2 for Mozilla browsers

Ubuntu 14.04.2 x64 (VM):
========================

Build used: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-15-09-55-19-mozilla-aurora/

-----------
Vulnerable:
-----------

File: libnpjp2.so
Path: /usr/java/jre1.7.0_79/lib/amd64/libnpjp2.so
Version: 10.79.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 10.79.2 for Mozilla browsers

File: libnpjp2.so
Path: /usr/java/jre1.7.0_80/lib/amd64/libnpjp2.so
Version: 10.80.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 10.80.2 for Mozilla browsers

File: libnpjp2.so
Path: /usr/java/jre1.8.0_45/lib/amd64/libnpjp2.so
Version: 11.45.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers

---------------
Not Vulnerable:
---------------

File: libnpjp2.so
Path: /usr/java/jre1.8.0_51/lib/amd64/libnpjp2.so
Version: 11.51.2
State: Enabled
Next Generation Java Plug-in 11.51.2 for Mozilla browsers

OSX 10.10.4 x64:
================

-----------
Vulnerable:
-----------

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 7 Update 79
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Displays Java applet content, or a placeholder if Java is not installed.

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 7 Update 80
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Displays Java applet content, or a placeholder if Java is not installed.

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 45
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Displays Java applet content, or a placeholder if Java is not installed.

---------------
Not Vulnerable:
---------------

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 51
State: Enabled
Displays Java applet content, or a placeholder if Java is not installed.
Status: RESOLVED → VERIFIED
Excuse me, I'm new here and I've not read all these technical comments (yet) but I do want to tell you about the infinite loop you've created for me.  Because the link is blocked, when I go to the Add-on manager and click UPDATE I get the same BLOCKED Add-on page that I saw when I pressed the UPPDATE link, which then sends me back to the Add-on page for me to click UPDATE.  

How do you expect users to UPDATE any of the software you've BLOCKED under these circomstances?
Flags: needinfo?(jorge)
The update link should take you to a more useful page than the blocklist page. I'm not sure why that's happening, sorry about that. However, the blocklist page should point to our plugin check page, which should be more useful: http://www.mozilla.org/plugincheck/. Or just take a shortcut and go to https://java.com/.
Flags: needinfo?(jorge)
(In reply to Jorge Villalobos [:jorgev] from comment #10)
> The update link should take you to a more useful page than the blocklist
> page. I'm not sure why that's happening, sorry about that.

I'm hearing this again and again from different people. Do we have a bug filed for that?
Flags: needinfo?(jorge)
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #11)
> (In reply to Jorge Villalobos [:jorgev] from comment #10)
> > The update link should take you to a more useful page than the blocklist
> > page. I'm not sure why that's happening, sorry about that.
> 
> I'm hearing this again and again from different people. Do we have a bug
> filed for that?

Bug # 798176, CC'd Jorge and yourself if you two want to jump into the conversation :)
Flags: needinfo?(jorge)
Hey guys, 
I don't know what you updated here. I still can't update my Java. Can you please unblock this thing. Now I can't work from home because of this. I installed new Java 8 from website and I still get the same message that it is blocked.
(In reply to Deima from comment #13)
> Hey guys, 
> I don't know what you updated here. I still can't update my Java. Can you
> please unblock this thing. Now I can't work from home because of this. I
> installed new Java 8 from website and I still get the same message that it
> is blocked.

Which version did you download/install? The latest version is Java SE 8u51 and that shouldn't be blocked. What version does "about:plugins" and "about:addons" list?
Java company stop update jave 7 ( i have on my portable computer) on windows xp. Xp is not working for java 8
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.