Closed Bug 1259458 Opened 8 years ago Closed 8 years ago

Need to blocklist Java less than 8u77.

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Assigned: eviljeff)

References

Details

+++ This bug was initially created as a clone of Bug #1259177 +++

On Wednesday March 23rd at 12 noon Pacific Time, Java SE 8u77 released, which contains a vulnerability fix. We need to blocklist older versions. There are hints Oracle may have updated Java 7 for paying enterprise customers. If we want to play nice with that then the BAD version (to block) is 7u97, but I don't know what the good version is because those downloads are behind a login.

Related documents:
http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html
http://www.oracle.com/technetwork/java/javase/8u77-relnotes-2944725.html

How to exploit this flaw has been published since around March 9 or 10. This is an update to an older flaw that worked around the "fix" by changing a few characters. Will be trivial for malware authors to change old exploits into this new form very quickly.
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf
http://www.securityweek.com/oracle-reissues-patch-two-year-old-java-flaw
Assignee: nobody → awilliamson
The blocks are now staged:

Java Plugin 7 update 91 to 97 (click-to-play), Mac OS X
https://addons-dev.allizom.org/en-US/firefox/blocked/p811/

Java Plugin 8 update 64 to 76 (click-to-play), Mac OS X
https://addons-dev.allizom.org/en-US/firefox/blocked/p812/

Java Plugin 7 update 91 to 97 (click-to-play), Windows
https://addons-dev.allizom.org/en-US/firefox/blocked/p813/

Java Plugin 8 update 64 to 76 (click-to-play), Windows
https://addons-dev.allizom.org/en-US/firefox/blocked/p814/

Java Plugin 7 update 91 to 97 (click-to-play), Linux
https://addons-dev.allizom.org/en-US/firefox/blocked/p815

Java Plugin 8 update 64 to 76 (click-to-play), Linux
https://addons-dev.allizom.org/en-US/firefox/blocked/p816
Flags: needinfo?(kjozwiak)
(In reply to Daniel Veditz [:dveditz] from comment #0)
> +++ This bug was initially created as a clone of Bug #1259177 +++

> customers. If we want to play nice with that then the BAD version (to block)
> is 7u97, but I don't know what the good version is because those downloads
> are behind a login.
> 

¡Hola Daniel!

FWIW from http://www.oracle.com/technetwork/java/javase/8u77-relnotes-2944725.html the "good" versions are:

"Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u77 are specified in the following table:
JRE Family Version 	JRE Security Baseline
(Full Version String)
8 	1.8.0_77
7 	1.7.0_99
6 	1.6.0_111"

¡Gracias!
Alex
Reference Documentation:
* https://java.com/en/download/faq/release_dates.xml
* http://www.oracle.com/technetwork/java/javase/downloads/java-archive-javase8-2177648.html

Windows 10 x64 VM: PASSED
=========================

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll
Version: 11.73.2.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 11.73.2 for Mozilla browsers
* Build Used: https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-29-03-02-46-mozilla-central/
* Browser Console: Blocklist state for Java(TM) Platform SE 8 U73 changed from 0 to 4
* Update Now correctly pointing to: /blocked/p814
* ensured "Always Activate" cannot be enabled via about:addons

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_74\bin\plugin2\npjp2.dll
Version: 11.74.2.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 11.74.2 for Mozilla browsers
* Build Used: https://archive.mozilla.org/pub/firefox/releases/45.0.1/
* Browser Console: Blocklist state for Java(TM) Platform SE 8 U74 changed from 0 to 4
* Update Now correctly pointing to: /blocked/p814
* ensured "Always Activate" cannot be enabled via about:addons

File: npjp2.dll
Path: C:\Program Files (x86)\Java\jre1.8.0_77\bin\plugin2\npjp2.dll
Version: 11.77.2.3
State: Enabled
Next Generation Java Plug-in 11.77.2 for Mozilla browsers
* Build Used: https://archive.mozilla.org/pub/firefox/candidates/46.0b6-candidates/build1/
* Browser Console: Blocklist state for Java(TM) Platform SE 8 U77 changed from 0 to 0

Ubuntu 14.04.4 LTS VM: PASSED
=============================

File: libnpjp2.so
Path: /home/kjozwiak/Downloads/jre1.8.0_73/lib/amd64/libnpjp2.so
Version: 11.73.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 11.73.2 for Mozilla browsers
* Build Used: https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-30-03-03-26-mozilla-central/
* Browser Console: Blocklist state for Java(TM) Plug-in 11.73.2 changed from 0 to 4
* Update Now correctly pointing to: /blocked/p816
* ensured "Always Activate" cannot be enabled via about:addons

File: libnpjp2.so
Path: /home/kjozwiak/Downloads/jre1.8.0_74/lib/amd64/libnpjp2.so
Version: 11.74.2
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Next Generation Java Plug-in 11.74.2 for Mozilla browsers
* Build Used: https://archive.mozilla.org/pub/firefox/candidates/46.0b6-candidates/
* Browser Console: Blocklist state for Java(TM) Plug-in 11.74.2 changed from 0 to 4
* Update Now correctly pointing to: /blocked/p816
* ensured "Always Activate" cannot be enabled via about:addons

File: libnpjp2.so
Path: /home/kjozwiak/Downloads/jre1.8.0_77/lib/amd64/libnpjp2.so
Version: 11.77.2
State: Enabled
Next Generation Java Plug-in 11.77.2 for Mozilla browsers
* Build Used: https://archive.mozilla.org/pub/firefox/releases/45.0.1/linux-x86_64/en-US/
* Browser Console: Blocklist state for Java(TM) Plug-in 11.77.2 changed from 0 to 0

OSX 10.11.4 x64: PASSED
=======================

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 73 build 02
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Displays Java applet content, or a placeholder if Java is not installed.
* Build Used: https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-30-00-40-58-mozilla-aurora/
* Browser Console: Blocklist state for Java Applet Plug-in changed from 0 to 4
* Update Now correctly pointing to: /blocked/p812
* ensured "Always Activate" cannot be enabled via about:addons

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 74 build 02
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Displays Java applet content, or a placeholder if Java is not installed.
* Build Used: https://archive.mozilla.org/pub/firefox/releases/45.0.1/mac/en-US/
* Browser Console: Blocklist state for Java Applet Plug-in changed from 0 to 4
* Update Now correctly pointing to: /blocked/p812
* ensured "Always Activate" cannot be enabled via about:addons

File: JavaAppletPlugin.plugin
Path: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
Version: Java 8 Update 77 build 03
State: Enabled
Displays Java applet content, or a placeholder if Java is not installed.
* Build Used: https://archive.mozilla.org/pub/firefox/candidates/46.0b6-candidates/build1/mac/en-US/
* Browser Console: Blocklist state for Java Applet Plug-in changed from 0 to 0
Issue #1:

As Dan mentioned in comment #0, Java 7 is behind a portal for paying customers only. During the last Java blocklist, I attempted getting access to the portal so we could test Java 7 against our blocklist but I ended up being bounced around in Oracles customer support system. We eventually released the blocklist without testing Java 7 as it took a very long time to hear anything from Oracle. Eventually the support ticket was closed and I was added to Oracles product mailing list which still spams me :/

Issue #2:

While testing the staged blocklist, I've noticed that sometime it takes a very long time to pull the blocklist. In the past, it was almost instantly but this time around, I had to wait at least a minute or two before pulling the blocklist from the staging server. Sometimes it even timed out with strange errors, example:

Paste in browser console: Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

(Wait about 2 minutes)

* Blocklist::notify: Requesting https://blocklist-dev.allizom.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/47.0a2/Firefox/20160330004058/Darwin_x86_64-gcc3-u-i386-x86_64/en-US/aurora/Darwin%2015.4.0/default/default/1/1/new/
Blocklist:onError: There was an error loading the blocklist file
* nsIXMLHttpRequest channel unavailable

Paste in browser console: Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

(wait 2 minutes and the blocklist was finally pulled)

I also noticed the following error in the browser console occurring pretty frequently:

Blocklist::_handleCertItemNode: Error adding revoked cert by Issuer and Serial[Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsICertBlocklist.revokeCertByIssuerAndSerial]"  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/components/nsBlocklistService.js :: Blocklist.prototype._handleCertItemNode :: line 958"  data: no]

Other than the above issues, everything worked as expected. Andrew or Jorge, mind taking a look at the above issues?
Flags: needinfo?(kjozwiak)
Flags: needinfo?(jorge)
Flags: needinfo?(awilliamson)
@jason - any thoughts on #c4 (issue 2)
Flags: needinfo?(jthomas)
Flags: needinfo?(jorge)
Flags: needinfo?(awilliamson)
There was some issues with blocklist on -dev a few hours ago. Could we try again?
Flags: needinfo?(jthomas)
(In reply to Jason Thomas [:jason] from comment #6)
> There was some issues with blocklist on -dev a few hours ago. Could we try
> again?

I'll go through some quick spot checks and see if the response times from the -dev server have improved.
The blocks are now live:

Java Plugin 7 update 91 to 97 (click-to-play), Mac OS X
https://addons.mozilla.org/en-US/firefox/blocked/p1141

Java Plugin 8 update 64 to 76 (click-to-play), Mac OS X
https://addons.mozilla.org/en-US/firefox/blocked/p1142

Java Plugin 7 update 91 to 97 (click-to-play), Windows
https://addons.mozilla.org/en-US/firefox/blocked/p1143

Java Plugin 8 update 64 to 76 (click-to-play), Windows
https://addons.mozilla.org/en-US/firefox/blocked/p1144

Java Plugin 7 update 91 to 97 (click-to-play), Linux
https://addons.mozilla.org/en-US/firefox/blocked/p1145

Java Plugin 8 update 64 to 76 (click-to-play), Linux
https://addons.mozilla.org/en-US/firefox/blocked/p1146
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
I quickly went through a spot check using the latest versions of fx45.0.1, fx46.0, fx47.0 and fx48.0 and didn't run into any performance or timeout issues. The blocklist was pulled in pretty quickly without the 2min delay that I was noticing yesterday.

However, I'm still seeing the following error in the browser console every time I pull in the blocklist from the -dev staging server. Receiving this error on the latest m-a, m-b and m-r but NOT under m-c:

Blocklist::_handleCertItemNode: Error adding revoked cert by Issuer and Serial[Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsICertBlocklist.revokeCertByIssuerAndSerial]"  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/components/nsBlocklistService.js :: Blocklist.prototype._handleCertItemNode :: line 958"  data: no]
logged #c9 as bug 1261333 to keep this bug for the Java blocks alone
You need to log in before you can comment on or make changes to this bug.