Closed
Bug 1183369
Opened 10 years ago
Closed 10 years ago
Blocklist Java plugin up to Version 8 Update 45 and Version 7 Update 80
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
VERIFIED
FIXED
2015-07
People
(Reporter: jorgev, Assigned: jorgev)
References
Details
All current versions of the Java plugin are vulnerable to a publicly disclosed vulnerability: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html. Oracle plans to release an update tomorrow, but this might require an immediate block.
Assignee | ||
Updated•10 years ago
|
QA Contact: kjozwiak
Summary: Blocklist Java plugin up to Version 8 Update 45 → Blocklist Java plugin up to Version 8 Update 45 and Version 7 Update 80
Assignee | ||
Comment 1•10 years ago
|
||
The blocks are now staged:
Java Plugin 7 update 79 to 80 (click-to-play), Mac OS X
https://addons-dev.allizom.org/en-US/firefox/blocked/p752
Java Plugin 8 update 45 (click-to-play), Mac OS X
https://addons-dev.allizom.org/en-US/firefox/blocked/p754
Java Plugin 7 update 79 to 80 (click-to-play), Windows
https://addons-dev.allizom.org/en-US/firefox/blocked/p756
Java Plugin 8 update 45 (click-to-play), Windows
https://addons-dev.allizom.org/en-US/firefox/blocked/p758
Java Plugin 7 update 79 to 80 (click-to-play), Linux
https://addons-dev.allizom.org/en-US/firefox/blocked/p760
Java Plugin 8 update 45 (click-to-play), Linux
https://addons-dev.allizom.org/en-US/firefox/blocked/p762
Kamil, can you please take a look?
Flags: needinfo?(kjozwiak)
Keywords: qawanted
Comment 2•10 years ago
|
||
Jorge, I'll take a look first thing in the morning. I've never tested a Java blocklist but hopefully it's similar to the Flash process :)
Comment 3•10 years ago
|
||
For what it's worth, I followed https://wiki.mozilla.org/Blocklisting/Testing and everything looks good to me.
Windows 8 using Firefox 38.0 win32
=============
File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll
Version: 11.45.2.14
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers
File: npdeployJava1.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npdeployJava1.dll
Version: 11.45.2.14
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
NPRuntime Script Plug-in Library for Java(TM) Deploy
Tested:
- Plugin is blocked and "This plugin has security vulnerabilities is displayed? Yes
- Clicking "Activate Java." presents "Allow Now" and "Allow and Remember" door-hanger? Yes
- Clicking "Allow Now" activates the plugin for the current site and session? Yes
- Plugin remains deactivated for other sites within the same session? Yes
- Plugin is deactivated for the same site in a new session? Yes
- Clicking "Allow and Remember" keeps the plugin activated for the same site between sessions? Yes
Comment 4•10 years ago
|
||
Windows 8.1 x64 (VM):
=====================
Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-14-03-02-06-mozilla-central/
File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Version: 10.80.2.15
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 10.80.2 for Mozilla browsers
File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Version: 10.79.2.15
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 10.79.2 for Mozilla browsers
File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll
Version: 11.45.2.15
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers
Ubuntu 14.04.2 x64 (VM):
========================
Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-14-00-40-06-mozilla-aurora/
File: libnpjp2.so
Path: /usr/java/jre1.7.0_79/lib/amd64/libnpjp2.so
Version: 10.79.2
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 10.79.2 for Mozilla browsers
File: libnpjp2.so
Path: /usr/java/jre1.7.0_80/lib/amd64/libnpjp2.so
Version: 10.80.2
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 10.80.2 for Mozilla browsers
File: libnpjp2.so
Path: /usr/java/jre1.8.0_45/lib/amd64/libnpjp2.so
Version: 11.45.2
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers
OSX 10.10.4 x64:
================
Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/
File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 7 Update 79
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Displays Java applet content, or a placeholder if Java is not installed.
File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 7 Update 80
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Displays Java applet content, or a placeholder if Java is not installed.
File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 45
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Displays Java applet content, or a placeholder if Java is not installed.
Went through the following test cases:
- used the following link to test the java block: https://www.java.com/verify
- ensured that "Allow" and "Allow and Remember" work correctly
- ensured that "Block Plugin" and "Continue Allowing" work correctly
- ensured that it worked in both e10s & non-e10s (m-c & m-a)
- ensured "is known to be vulnerable. Use with caution. <link>More Information</link>" appears under about:addons when STATE_VULNERABLE_NO_UPDATE
- ensured "More Information" opened the correct link (listed in comment # 1)
Summary:
========
Appears like the block is working as expected. However, they're all appearing as STATE_VULNERABLE_NO_UPDATE even though there's updates available. I'm guessing this is due to our end? Also Jorge, take a look and let me know if I missed something as this is the first time I'm doing a java blocklist (I don't want to miss anything)
Flags: needinfo?(kjozwiak)
Assignee | ||
Comment 5•10 years ago
|
||
It all looks right. I staged the blocks with "update unavailable" since that was the reality at the time. I'll push the blocks live with "update available" in about an hour, unless something else comes up.
Comment 6•10 years ago
|
||
> It all looks right. I staged the blocks with "update unavailable" since that
> was the reality at the time. I'll push the blocks live with "update
> available" in about an hour, unless something else comes up.
Would it be worth it going through this again once it hits the live server? This time just checking to make sure that the blocked plugin is appearing as STATE_VULNERABLE_UPDATE_AVAILABLE??
Assignee | ||
Comment 7•10 years ago
|
||
The blocks are now live with update available on:
Java Plugin 7 update 79 to 80 (click-to-play), Mac OS X
https://addons.mozilla.org/en-US/firefox/blocked/p954
Java Plugin 8 update 45 (click-to-play), Mac OS X
https://addons.mozilla.org/en-US/firefox/blocked/p956
Java Plugin 7 update 79 to 80 (click-to-play), Windows
https://addons.mozilla.org/en-US/firefox/blocked/p958
Java Plugin 8 update 45 (click-to-play), Windows
https://addons.mozilla.org/en-US/firefox/blocked/p960
Java Plugin 7 update 79 to 80 (click-to-play), Linux
https://addons.mozilla.org/en-US/firefox/blocked/p962
Java Plugin 8 update 45 (click-to-play), Linux
https://addons.mozilla.org/en-US/firefox/blocked/p964
Kamil, can you give these a quick look?
Status: NEW → RESOLVED
Closed: 10 years ago
Keywords: qawanted
Resolution: --- → FIXED
Target Milestone: --- → 2015-07
Comment 8•10 years ago
|
||
Win 8.1 x64 (VM):
=================
Build used: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/
-----------
Vulnerable:
-----------
File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Version: 10.79.2.15
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 10.79.2 for Mozilla browsers
File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Version: 10.80.2.15
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 10.80.2 for Mozilla browsers
File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll
Version: 11.45.2.15
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers
---------------
Not Vulnerable:
---------------
File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll
Version: 11.51.2.16
State: Enabled
Next Generation Java Plug-in 11.51.2 for Mozilla browsers
Ubuntu 14.04.2 x64 (VM):
========================
Build used: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-15-09-55-19-mozilla-aurora/
-----------
Vulnerable:
-----------
File: libnpjp2.so
Path: /usr/java/jre1.7.0_79/lib/amd64/libnpjp2.so
Version: 10.79.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 10.79.2 for Mozilla browsers
File: libnpjp2.so
Path: /usr/java/jre1.7.0_80/lib/amd64/libnpjp2.so
Version: 10.80.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 10.80.2 for Mozilla browsers
File: libnpjp2.so
Path: /usr/java/jre1.8.0_45/lib/amd64/libnpjp2.so
Version: 11.45.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 11.45.2 for Mozilla browsers
---------------
Not Vulnerable:
---------------
File: libnpjp2.so
Path: /usr/java/jre1.8.0_51/lib/amd64/libnpjp2.so
Version: 11.51.2
State: Enabled
Next Generation Java Plug-in 11.51.2 for Mozilla browsers
OSX 10.10.4 x64:
================
-----------
Vulnerable:
-----------
File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 7 Update 79
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Displays Java applet content, or a placeholder if Java is not installed.
File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 7 Update 80
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Displays Java applet content, or a placeholder if Java is not installed.
File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 45
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Displays Java applet content, or a placeholder if Java is not installed.
---------------
Not Vulnerable:
---------------
File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 51
State: Enabled
Displays Java applet content, or a placeholder if Java is not installed.
Status: RESOLVED → VERIFIED
Comment 9•10 years ago
|
||
Excuse me, I'm new here and I've not read all these technical comments (yet) but I do want to tell you about the infinite loop you've created for me. Because the link is blocked, when I go to the Add-on manager and click UPDATE I get the same BLOCKED Add-on page that I saw when I pressed the UPPDATE link, which then sends me back to the Add-on page for me to click UPDATE.
How do you expect users to UPDATE any of the software you've BLOCKED under these circomstances?
Flags: needinfo?(jorge)
Assignee | ||
Comment 10•10 years ago
|
||
The update link should take you to a more useful page than the blocklist page. I'm not sure why that's happening, sorry about that. However, the blocklist page should point to our plugin check page, which should be more useful: http://www.mozilla.org/plugincheck/. Or just take a shortcut and go to https://java.com/.
Flags: needinfo?(jorge)
![]() |
||
Comment 11•10 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #10)
> The update link should take you to a more useful page than the blocklist
> page. I'm not sure why that's happening, sorry about that.
I'm hearing this again and again from different people. Do we have a bug filed for that?
Flags: needinfo?(jorge)
Comment 12•10 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #11)
> (In reply to Jorge Villalobos [:jorgev] from comment #10)
> > The update link should take you to a more useful page than the blocklist
> > page. I'm not sure why that's happening, sorry about that.
>
> I'm hearing this again and again from different people. Do we have a bug
> filed for that?
Bug # 798176, CC'd Jorge and yourself if you two want to jump into the conversation :)
Flags: needinfo?(jorge)
Comment 13•10 years ago
|
||
Hey guys,
I don't know what you updated here. I still can't update my Java. Can you please unblock this thing. Now I can't work from home because of this. I installed new Java 8 from website and I still get the same message that it is blocked.
Comment 14•10 years ago
|
||
(In reply to Deima from comment #13)
> Hey guys,
> I don't know what you updated here. I still can't update my Java. Can you
> please unblock this thing. Now I can't work from home because of this. I
> installed new Java 8 from website and I still get the same message that it
> is blocked.
Which version did you download/install? The latest version is Java SE 8u51 and that shouldn't be blocked. What version does "about:plugins" and "about:addons" list?
Comment 15•10 years ago
|
||
Java company stop update jave 7 ( i have on my portable computer) on windows xp. Xp is not working for java 8
Updated•9 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•