Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle to Block JAR Files Signed with MD5 Starting In April (bleepingcomputer.com)

Posted by EditorDavid on from the runtime-says-you're-running-out-of-time dept.

An anonymous reader quotes BleepingComputer: Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running. Oracle originally planned MD5's deprecation for the current Critical Patch Update, released this week, which included a whopping 270 security fixes, one of the biggest security updates to date. The company decided to give developers and companies more time to prepare and delayed MD5's deprecation for the release of Oracle Java SE 8u131 and the next Java CPU, scheduled for release in April...

Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.

55 comments

  1. that's great and all... by Anonymous Coward · · Score: 0

    BUT WHAT ABOUT SOLARIS

    1. Re:that's great and all... by Anonymous Coward · · Score: 0

      Solaris is dead. Try Linux, you might like it.

    2. Re:that's great and all... by KiloByte · · Score: 3, Insightful

      BUT WHAT ABOUT SOLARIS

      It was dead the moment Oracle ate Sun -- it wasn't even their primary target, merely collateral damage in their plan to kill MySQL.

      Unrelated: you really should check your keyboard, either your Caps Lock or Shift is stuck. If you can't fix that immediately, try stty iuclc although this helps on terminals only (although elinks is an option). If you did that intentionally, please at least use small caps: apt install tran; echo "But what about Solaris?"|tran smallcaps; that's way less rude. As the Great Runes are dead in England since 11th century, last computer terminals since late 1970s, there's no reason to use them.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:that's great and all... by Zontar+The+Mindless · · Score: 1

      ... their plan to kill MySQL.

      Did you remember to tell Oracle about this plan? Because I don't think they know anything about it.

      --
      Il n'y a pas de Planet B.
    4. Re:that's great and all... by KiloByte · · Score: 2

      They didn't expect a group of most competent devs jumping ship and making MariaDB. It's nearly impossible for a fork of something as complex to succeed, thus it was a near-sure bet that control of MySQL would let them slowly extinguish their biggest competitor. Well, proper use cases for Oracle-the-DB and MySQL differ but most people who decide don't know the difference: if that wasn't the case, MySQL wouldn't have the massive usage share it enjoys, as if you need real SQL then Postgres is much better, and if you don't, you're better served by a non-relational database.

      Thus, instead of reaping the rewards, they flail wildly and merely make MySQL unusable: stop real new features, shut down access to most of bug database, halt any detailed information about security vulnerabilities (providing fixes only as massive new versions, unfit for backporting). Thus, distributions are switching to MariaDB left and right: Debian just did, Fedora did so ages ago.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:that's great and all... by Anonymous Coward · · Score: 0

      The people who made old MySQL 5.0, 5.1 shitty left and made MariaDB, a shitty clone of MySQL 5.5.

      Meanwhile, except for some features found in the latest MariaDB 10.2 and a bunch of half baked storage engines, MariaDB is about 1.5 years behind in technology compared to MySQL, which is chugging along just fine with loads of enhancements.

      Unexpectedly, Oracle saved MySQL from Monty "The Close-Sourcer". Monty cannot close source the MariaDB server because it's a GPL fork, but he sure wishes it. Needless to say MariaDB "corporation" close-sources the software not owned by Oracle.

  2. Fuck Java by Anonymous Coward · · Score: 0, Flamebait

    Just kill Java already. It's become the IE6 of programming languages with its insecure and bug-ridden VM and web plugin.

  3. The article suggests only 1.8 by xxxJonBoyxxx · · Score: 1

    The article suggests only 1.8, but will this also be pushed to 1.6 and 1.7 too?

    1. Re: The article suggests only 1.8 by Anonymous Coward · · Score: 0

      I hope not or we will have a lot.of enterprise equipment (printers, copiers, projectors, etc) that will become unmanaged.

    2. Re: The article suggests only 1.8 by xxxJonBoyxxx · · Score: 1

      That's why I asked. :)

    3. Re: The article suggests only 1.8 by jabuzz · · Score: 1

      Including a whole bunch of stuff with Sun and Oracle badges on the front........

    4. Re: The article suggests only 1.8 by myowntrueself · · Score: 1

      I hope not or we will have a lot.of enterprise equipment (printers, copiers, projectors, etc) that will become unmanaged.

      Oh don't worry I'm sure the vendors will all provide updates!

      --
      In the free world the media isn't government run; the government is media run.
    5. Re: The article suggests only 1.8 by Billly+Gates · · Score: 1

      dude whoever updates Java?

      Seriously the joke is it is soo incompatible ... without itself. Too many programs use security exploits to function. I have seen poorly written java version from major US banks that use Java 1.4.2 (yes forces this on companies with accountants) use COM+ objects for Excel to function. Or they use RMI to go to c:\program files\jre\bin to check the version number (face palm).

      So no 64 bit computing for YOU! That moves java to program files(x86) which the java applets will error saying "Please intstall java!"

      No WIndows 9 ... java will say UPGRADE FROM WIN98!. Java is HORRIBLE. Man I cry too as it had so much freaking potential. It shows RMS is right when corporations fuck up a good thing. Java could have stayed secure and been updated to native binaries like C#/mono. Bad management and years of neglect killed it so now web developers are stuck in nasty node.js land with javascript.

      --
      http://saveie6.com/
    6. Re: The article suggests only 1.8 by Lisandro · · Score: 1

      This. For a "write once, run anywhere" Java is horribly dependent on VM version and host OS. I've honestly code more portable in Perl than Java.

    7. Re: The article suggests only 1.8 by Billly+Gates · · Score: 1

      Java is write once ... with the same version of Java. The problem is the security fixes break the functionality of the platform. RMI or remote method invocation for calling win32 objects as a local admin with no sandbox defeats the purpose of the VM.

      Get rid of this and Java is actually secure. THis angers me because Java was awesome and it rotted and went to shit due to bad management. Java still has a rich 100,000 methods and objects to call from and could have been still popular today if management let it compete with C#/Mono.

      It needed native binaries, updated interactions (NO RMI) with other things outside the realm of a VM so it can compete with Ruby on Rails and node.js. Generics were introduced so late. Sun stopped updating it and the other languages outdid it and were not limited by it's own VM and ecosystem.

      The obsession over portability and lack of features, and poor security decisions probably due to outsourcing to India to JR level programmers killed it. Not to sound socialist but RMS has a point if the community owned java instead of a corporation.

      --
      http://saveie6.com/
    8. Re:The article suggests only 1.8 by arglebargle_xiv · · Score: 1

      Holy shit, MD5 and 512-bit keys, Oracle are literally twenty years behind the times in crypto. It's no wonder that a company that cares this little about security is having to push out patches that fix 270 vulnerabilities at once.

    9. Re: The article suggests only 1.8 by Anonymous Coward · · Score: 0

      Mod parent up. I don't think it can be understated just how many devices have old Java in them that are essentially un-updatable.

      I keep a VM running Windows XP with an early version of Java 1.6 for this specific reason alone: some devices I manage are old enough with respect to java that modern Java's just won't accept the applets.

  4. Those who can't write a secure virtual machine... by Anonymous Coward · · Score: 1

    ...write a code-signing infrastructure instead.

  5. Oracle to block squirrels by Anonymous Coward · · Score: 0

    Bad for the power grid, or some such shit

  6. You cannot sign with MD5, you hash with MD5. by bhspencer · · Score: 1

    Presumably they mean that they wont accept RSA signatures over MD5 hashes.

    1. Re:You cannot sign with MD5, you hash with MD5. by Thanatiel · · Score: 1

      Technically you could use several asymmetrical algorithms over MD5. (Not saying it's a good idea, but neither is using MD5.)
      Thus saying MD5 covers everything.

      --
      Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
    2. Re: You cannot sign with MD5, you hash with MD5. by ewanm89 · · Score: 1

      Part of the RSA signature algorithm is signing a hash of the content you want to sign. They are changing that hashing algorithm.

      The funny thing is sha-1 is nolonger fit for this purpose and so Mozilla is requiring sha-2 in all HTTPS certificates from next week (after a major push by all the browser creators for CAs to use sha-256 for the last couple of years), so yeah, Oracle and Java is way behind the times and that is before we get to those that won't update.

  7. Seems to me by buss_error · · Score: 2, Interesting

    It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.

    I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.

    The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.

    Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.

    I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.

    Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
    1. Re: Seems to me by Anonymous Coward · · Score: 0

      You stupid idiot, you can do X

    2. Re:Seems to me by Anonymous Coward · · Score: 0

      I'm sure there are many that will start off a reply "You stupid idiot, you can do X!"

      There is nowhere in your post any X that would qualify for such a reply, no statement at all about something Java is not able to do. Nothing to suggest if we wish either, on what would that be? The only information in your post is that you run Java in a virtual machine and that somebody else stops using it.

      Good luck finding a nice job without Java. Pro-tip: learn at least one new language each year, start with often used and well established ones (C, Python, SQL), then fancy ones (Swift, Go, Rust) throw some niche (Assembly, Erlang, Fortran) or functional (Lisp, Racket, Haskell) or weird (Prolog, Factor, Intercal) language in from time to time. It will at the same time keep you sharp and also broaden your horizon, a lot is possible. Then chose any of the languages you've learned to write a Forth implementation and you're a demi-god.

    3. Re:Seems to me by Hylandr · · Score: 1

      I really think oracle is actively trying to kill Java, with this MD5 signing thing blocking thousands of apps that will never be re-signed and then aggressively pursuing java licensing fees, this would be the icing on the cake.

      In case you missed it previously:
      https://developers.slashdot.or...

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    4. Re:Seems to me by Lisandro · · Score: 1

      There're plenty of well paid IT jobs without Java. Fully agree with your recommendation of keeping up to date on new languages though.

    5. Re:Seems to me by Billly+Gates · · Score: 1

      It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.

      I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.

      The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.

      Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.

      I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.

      Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.

      In other words it is more modern version of COBOL the other language that refuses to die that employers scream they can't find qualified applicants. Just a 1990s version with objects and some media support.

      Go for smaller or startup companies. Java is here not for new things but for legacy stuff when Java was cool circa 1997 - 2008 timeframe. These systems are so big now and integrated into the business process chain that they can't be removed as jobs were eliminated due Java automation. Sigh

      --
      http://saveie6.com/
    6. Re:Seems to me by Anonymous Coward · · Score: 0

      What could they possibly gain from that?

    7. Re: Seems to me by ralphsiegler · · Score: 1

      You insult COBOL, if written to be portable COBOL apps can run everywhere and for decades, unlike Java which breaks its API with minor point releases Signed, Fed up J2ee server admin

    8. Re:Seems to me by Anonymous Coward · · Score: 0

      In case you missed it previously:

      In case you missed it when that article was discussed. You have to explicitly enable these commercial features with a flag. While I hate to defend ORACLE, they are going after companies that go out of their way to violate the license in that case.

    9. Re:Seems to me by buss_error · · Score: 1
      Good luck finding a nice job without Java

      Thank you.

      Pro-tip: learn at least one new language each year

      Why would I do that? I have problems to solve, I can't learn a new language every year and be more than a tyro at it. There are those that love the new thing, however, when there are $tens-of-thousands of servers involved, running $i-don't-know-how-many virtual guests, well, proven and solid are more highly valued than simple "new" without any sort of benefit to be had going into it.

      --
      Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
    10. Re:Seems to me by Anonymous Coward · · Score: 0

      It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.

      Actually, pretty much the entire lifetime of Java's security aspects have been a POS.

  8. Re:Those who can't write a secure virtual machine. by lucasnate1 · · Score: 0

    Is there any secure virtual machine around? Because I have yet to see one.

    --
    Avantgarde Hebrew science fiction
  9. Can't believe Java ever allowed MD5 to begin with by Lisandro · · Score: 1

    Ever since Dobbertin found a hash collision in 1996 RSA labs themselves were already recommending alternatives such as SHA-1. This was just around the time Java 1.0 was released.

  10. stupid human by Anonymous Coward · · Score: 0

    Those who can't write a secure virtual machine

    stupid human is too stupid to realize that humans are too stupid to accomplish such a task

  11. Unsigned Java Applets by supremebob · · Score: 1

    These security changes make just make it tougher and tougher to support "legacy" Java applets that are unsigned. Forget Java 8... even the newer versions of Java 7 can't run them anymore.

    I guess that it's good that they fix these issues, but they need to offer workarounds or I'm going to have to keep installing Java 6 on some customer machines to keep their legacy crap running.

  12. Remember when by JustAnotherOldGuy · · Score: 1

    "the current Critical Patch Update, released this week, which included a whopping 270 security fixes,"

    Remember when Java was touted as the super-secure language that was supposed to be nearly impossible to exploit? I do.

    It was gonna be the "write-once, compile anywhere" language that was going to make all other languages obsolete. It was basically going to take over the world and *everything* was going to be written in Java, "Everything, you'll see!" they said.It was going to be the Uber Language for all time, the Final Solution.

    Oh, the Java early adopters sneered at anyone who didn't jump on the Java Train and they kept crowing about how it was going to be the end of sloppy programming and uncertain coding, and vulnerable executables would be a thing of the past...

    I didn't believe it then and I (obviously) don't believe it now.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Remember when by Billly+Gates · · Score: 1

      It was secure .... then Sun put in RMI which unsandboxed code at admin level could leave the sandbox and full access to the filesystem/environment FACEPALM.

      Java is fairly secure at the sever level. It was browser applets that freaking deserve to die using RMI or remote method Interface at local admin to put in God knows what just from visiting a website that created this disaster.

      FYI I want java to die now so I am not a fanboy. Php was bad too and still is. Most geeks have moved on from these 2 for these and many other reasons to ruby, node.js, and Erland/Exilir.

      --
      http://saveie6.com/
    2. Re:Remember when by johannesg · · Score: 1

      You missed "it's faster than C!! Well, it will be faster than C in the future! Well, it will be faster than C once we have JIT. Well, it will be faster than C once JIT actually optimizes things as promised... Any day now..."

      "The year is 2017, and Oracle launches the last of America's deep database probes. After his systems are unexpectedly frozen by garbage collection, Solaris 12 and its pilot Captain Larry 'Buck' Ellison are blown out of their trajectory into an orbit which freezes his life support systems, and returns Larry Ellison to Earth five-hundred years later."

    3. Re:Remember when by antdude · · Score: 1

      This is why I trust no one like The X-Files say.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  13. Thought it said to block Java by Billly+Gates · · Score: 1

    Well one could always hope

    --
    http://saveie6.com/
  14. It's about licensing fees on the new way. by Anonymous Coward · · Score: 0

    It's more about licensing fees on the new way of doing it.

    1. Re:It's about licensing fees on the new way. by cryptizard · · Score: 1

      Nope, all SHA hash functions are standardized by the federal government and are license free.

    2. Re:It's about licensing fees on the new way. by Hylandr · · Score: 1

      Not if Java refuses to load those functions and requires their 'more secure' proprietary functions instead.

      This feels like the computer industry trying to lock out the free like in the days of big iron.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    3. Re:It's about licensing fees on the new way. by cryptizard · · Score: 1

      Literally wtf are you even talking about. We know what Java does. It uses regular standard hash functions, no proprietary ones.

  15. Watch out for http:// OCSP URLs as well! by Anonymous Coward · · Score: 0

    Some versions of java are _already_ blocking as invalid or untrustworthy any certificates *served over https* when they have http OCSP URIs, at least in firefox and chrome under Linux (where it is run through icedtea).

    Now, try explaining *that* to the idiots taking care of homebanking sites, which test their unsafe crap using outdated versions of said browsers on utra-outdated versions of Linux distros, or only IE under Windows...

  16. Ummm, good? by djbckr · · Score: 1

    I know it's fashionable to dump on the Java ecosystem around here. However, given the tools and libraries that are available, I find it incredibly easy to write apps quickly and efficiently. Personally, I've started to use Kotlin and it rocks. Between it and Groovy and the massive wealth of libraries in the Java ecosystem, I haven't found anything else that lets me be as productive.

    That said, some of the frameworks out there just plain suck. My employer is building a Spring/Hibernate Servlet system, and while there are a few things that are kinda cool about Spring, I think it's mostly a clusterf**k of an over-bloated framework. I guess you have to use it when you are communicating with a bunch of disparate systems, but I'm certain that it's killing our team's productivity hugely.

    I've tried Go, and I like it but there is not very much of a community around it, and the database package was designed by morons. I've tried Rust. I think it has potential, but it's really hard to spin up your head around it. And again, not much of a community.

  17. Re:Those who can't write a secure virtual machine. by Anonymous Coward · · Score: 0

    Browser vendors seem confident enough in their JavaScript execution engine to enable it by default even though none of the JavaScript is signed. Instead of locking down unsigned Java applets, Oracle could have written a VM for them in JavaScript and Oracle's part would have been secure since any exploit would be the browser vendor's responsibility to fix.

  18. JAR files? by Anonymous Coward · · Score: 0

    Anyway, who is using that old Nokia S40 phone?

  19. Btw Slashdot's owner uses periodic Java articles by Anonymous Coward · · Score: 0

    to collect the IDs of Java haters so that they don't have to worry about hiring them into jobs where they might be forced to lower themselves to using Java and sabotaging the company. They should only be allowed to work on the flavor of the month so their feelings are not hurt.

  20. Re:Can't believe Java ever allowed MD5 to begin wi by Anonymous Coward · · Score: 0

    I knew that Java had holes like a sieve, but still using MD5 as a signature that proofs something (not just for checking unintentional transmission errors) is still a surprise. We are removing all uses of the JRE, for example switching from Sikuli to Lackey for all GUI scripting/automation.

  21. Yay for legacy appliances by heson · · Score: 1

    It is a joy for IT to keep around a bunch of old java client environments to access old printers, NAS, switches, kvm switches, motherboard controllers (iLO etc), blade server management all "conveniently" accessed through a web browser (and requiring an old obsolete java and old insecure java features).

  22. What's wrong with Java? by Anonymous Coward · · Score: 0

    This is a legitimate question, as I am confused about the remarks people make.

    What is so inherently bad about Java security? I understand that the JVM is itself a piece of software that may have vulnerabilities outside of our control, but is that it?