Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle to Block JAR Files Signed with MD5 Starting In April (bleepingcomputer.com)

Posted by EditorDavid on from the runtime-says-you're-running-out-of-time dept.

An anonymous reader quotes BleepingComputer: Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running. Oracle originally planned MD5's deprecation for the current Critical Patch Update, released this week, which included a whopping 270 security fixes, one of the biggest security updates to date. The company decided to give developers and companies more time to prepare and delayed MD5's deprecation for the release of Oracle Java SE 8u131 and the next Java CPU, scheduled for release in April...

Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.

33 of 55 comments (clear)

  1. The article suggests only 1.8 by xxxJonBoyxxx · · Score: 1

    The article suggests only 1.8, but will this also be pushed to 1.6 and 1.7 too?

    1. Re: The article suggests only 1.8 by xxxJonBoyxxx · · Score: 1

      That's why I asked. :)

    2. Re: The article suggests only 1.8 by jabuzz · · Score: 1

      Including a whole bunch of stuff with Sun and Oracle badges on the front........

    3. Re: The article suggests only 1.8 by myowntrueself · · Score: 1

      I hope not or we will have a lot.of enterprise equipment (printers, copiers, projectors, etc) that will become unmanaged.

      Oh don't worry I'm sure the vendors will all provide updates!

      --
      In the free world the media isn't government run; the government is media run.
    4. Re: The article suggests only 1.8 by Billly+Gates · · Score: 1

      dude whoever updates Java?

      Seriously the joke is it is soo incompatible ... without itself. Too many programs use security exploits to function. I have seen poorly written java version from major US banks that use Java 1.4.2 (yes forces this on companies with accountants) use COM+ objects for Excel to function. Or they use RMI to go to c:\program files\jre\bin to check the version number (face palm).

      So no 64 bit computing for YOU! That moves java to program files(x86) which the java applets will error saying "Please intstall java!"

      No WIndows 9 ... java will say UPGRADE FROM WIN98!. Java is HORRIBLE. Man I cry too as it had so much freaking potential. It shows RMS is right when corporations fuck up a good thing. Java could have stayed secure and been updated to native binaries like C#/mono. Bad management and years of neglect killed it so now web developers are stuck in nasty node.js land with javascript.

      --
      http://saveie6.com/
    5. Re: The article suggests only 1.8 by Lisandro · · Score: 1

      This. For a "write once, run anywhere" Java is horribly dependent on VM version and host OS. I've honestly code more portable in Perl than Java.

    6. Re: The article suggests only 1.8 by Billly+Gates · · Score: 1

      Java is write once ... with the same version of Java. The problem is the security fixes break the functionality of the platform. RMI or remote method invocation for calling win32 objects as a local admin with no sandbox defeats the purpose of the VM.

      Get rid of this and Java is actually secure. THis angers me because Java was awesome and it rotted and went to shit due to bad management. Java still has a rich 100,000 methods and objects to call from and could have been still popular today if management let it compete with C#/Mono.

      It needed native binaries, updated interactions (NO RMI) with other things outside the realm of a VM so it can compete with Ruby on Rails and node.js. Generics were introduced so late. Sun stopped updating it and the other languages outdid it and were not limited by it's own VM and ecosystem.

      The obsession over portability and lack of features, and poor security decisions probably due to outsourcing to India to JR level programmers killed it. Not to sound socialist but RMS has a point if the community owned java instead of a corporation.

      --
      http://saveie6.com/
    7. Re:The article suggests only 1.8 by arglebargle_xiv · · Score: 1

      Holy shit, MD5 and 512-bit keys, Oracle are literally twenty years behind the times in crypto. It's no wonder that a company that cares this little about security is having to push out patches that fix 270 vulnerabilities at once.

  2. Those who can't write a secure virtual machine... by Anonymous Coward · · Score: 1

    ...write a code-signing infrastructure instead.

  3. You cannot sign with MD5, you hash with MD5. by bhspencer · · Score: 1

    Presumably they mean that they wont accept RSA signatures over MD5 hashes.

    1. Re:You cannot sign with MD5, you hash with MD5. by Thanatiel · · Score: 1

      Technically you could use several asymmetrical algorithms over MD5. (Not saying it's a good idea, but neither is using MD5.)
      Thus saying MD5 covers everything.

      --
      Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
    2. Re: You cannot sign with MD5, you hash with MD5. by ewanm89 · · Score: 1

      Part of the RSA signature algorithm is signing a hash of the content you want to sign. They are changing that hashing algorithm.

      The funny thing is sha-1 is nolonger fit for this purpose and so Mozilla is requiring sha-2 in all HTTPS certificates from next week (after a major push by all the browser creators for CAs to use sha-256 for the last couple of years), so yeah, Oracle and Java is way behind the times and that is before we get to those that won't update.

  4. Re:that's great and all... by KiloByte · · Score: 3, Insightful

    BUT WHAT ABOUT SOLARIS

    It was dead the moment Oracle ate Sun -- it wasn't even their primary target, merely collateral damage in their plan to kill MySQL.

    Unrelated: you really should check your keyboard, either your Caps Lock or Shift is stuck. If you can't fix that immediately, try stty iuclc although this helps on terminals only (although elinks is an option). If you did that intentionally, please at least use small caps: apt install tran; echo "But what about Solaris?"|tran smallcaps; that's way less rude. As the Great Runes are dead in England since 11th century, last computer terminals since late 1970s, there's no reason to use them.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  5. Seems to me by buss_error · · Score: 2, Interesting

    It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.

    I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.

    The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.

    Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.

    I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.

    Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
    1. Re:Seems to me by Hylandr · · Score: 1

      I really think oracle is actively trying to kill Java, with this MD5 signing thing blocking thousands of apps that will never be re-signed and then aggressively pursuing java licensing fees, this would be the icing on the cake.

      In case you missed it previously:
      https://developers.slashdot.or...

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    2. Re:Seems to me by Lisandro · · Score: 1

      There're plenty of well paid IT jobs without Java. Fully agree with your recommendation of keeping up to date on new languages though.

    3. Re:Seems to me by Billly+Gates · · Score: 1

      It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.

      I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.

      The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.

      Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.

      I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.

      Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.

      In other words it is more modern version of COBOL the other language that refuses to die that employers scream they can't find qualified applicants. Just a 1990s version with objects and some media support.

      Go for smaller or startup companies. Java is here not for new things but for legacy stuff when Java was cool circa 1997 - 2008 timeframe. These systems are so big now and integrated into the business process chain that they can't be removed as jobs were eliminated due Java automation. Sigh

      --
      http://saveie6.com/
    4. Re: Seems to me by ralphsiegler · · Score: 1

      You insult COBOL, if written to be portable COBOL apps can run everywhere and for decades, unlike Java which breaks its API with minor point releases Signed, Fed up J2ee server admin

    5. Re:Seems to me by buss_error · · Score: 1
      Good luck finding a nice job without Java

      Thank you.

      Pro-tip: learn at least one new language each year

      Why would I do that? I have problems to solve, I can't learn a new language every year and be more than a tyro at it. There are those that love the new thing, however, when there are $tens-of-thousands of servers involved, running $i-don't-know-how-many virtual guests, well, proven and solid are more highly valued than simple "new" without any sort of benefit to be had going into it.

      --
      Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  6. Can't believe Java ever allowed MD5 to begin with by Lisandro · · Score: 1

    Ever since Dobbertin found a hash collision in 1996 RSA labs themselves were already recommending alternatives such as SHA-1. This was just around the time Java 1.0 was released.

  7. Unsigned Java Applets by supremebob · · Score: 1

    These security changes make just make it tougher and tougher to support "legacy" Java applets that are unsigned. Forget Java 8... even the newer versions of Java 7 can't run them anymore.

    I guess that it's good that they fix these issues, but they need to offer workarounds or I'm going to have to keep installing Java 6 on some customer machines to keep their legacy crap running.

  8. Remember when by JustAnotherOldGuy · · Score: 1

    "the current Critical Patch Update, released this week, which included a whopping 270 security fixes,"

    Remember when Java was touted as the super-secure language that was supposed to be nearly impossible to exploit? I do.

    It was gonna be the "write-once, compile anywhere" language that was going to make all other languages obsolete. It was basically going to take over the world and *everything* was going to be written in Java, "Everything, you'll see!" they said.It was going to be the Uber Language for all time, the Final Solution.

    Oh, the Java early adopters sneered at anyone who didn't jump on the Java Train and they kept crowing about how it was going to be the end of sloppy programming and uncertain coding, and vulnerable executables would be a thing of the past...

    I didn't believe it then and I (obviously) don't believe it now.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Remember when by Billly+Gates · · Score: 1

      It was secure .... then Sun put in RMI which unsandboxed code at admin level could leave the sandbox and full access to the filesystem/environment FACEPALM.

      Java is fairly secure at the sever level. It was browser applets that freaking deserve to die using RMI or remote method Interface at local admin to put in God knows what just from visiting a website that created this disaster.

      FYI I want java to die now so I am not a fanboy. Php was bad too and still is. Most geeks have moved on from these 2 for these and many other reasons to ruby, node.js, and Erland/Exilir.

      --
      http://saveie6.com/
    2. Re:Remember when by johannesg · · Score: 1

      You missed "it's faster than C!! Well, it will be faster than C in the future! Well, it will be faster than C once we have JIT. Well, it will be faster than C once JIT actually optimizes things as promised... Any day now..."

      "The year is 2017, and Oracle launches the last of America's deep database probes. After his systems are unexpectedly frozen by garbage collection, Solaris 12 and its pilot Captain Larry 'Buck' Ellison are blown out of their trajectory into an orbit which freezes his life support systems, and returns Larry Ellison to Earth five-hundred years later."

    3. Re:Remember when by antdude · · Score: 1

      This is why I trust no one like The X-Files say.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  9. Thought it said to block Java by Billly+Gates · · Score: 1

    Well one could always hope

    --
    http://saveie6.com/
  10. Re:that's great and all... by Zontar+The+Mindless · · Score: 1

    ... their plan to kill MySQL.

    Did you remember to tell Oracle about this plan? Because I don't think they know anything about it.

    --
    Il n'y a pas de Planet B.
  11. Re:It's about licensing fees on the new way. by cryptizard · · Score: 1

    Nope, all SHA hash functions are standardized by the federal government and are license free.

  12. Re:It's about licensing fees on the new way. by Hylandr · · Score: 1

    Not if Java refuses to load those functions and requires their 'more secure' proprietary functions instead.

    This feels like the computer industry trying to lock out the free like in the days of big iron.

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
  13. Re:It's about licensing fees on the new way. by cryptizard · · Score: 1

    Literally wtf are you even talking about. We know what Java does. It uses regular standard hash functions, no proprietary ones.

  14. Re:that's great and all... by KiloByte · · Score: 2

    They didn't expect a group of most competent devs jumping ship and making MariaDB. It's nearly impossible for a fork of something as complex to succeed, thus it was a near-sure bet that control of MySQL would let them slowly extinguish their biggest competitor. Well, proper use cases for Oracle-the-DB and MySQL differ but most people who decide don't know the difference: if that wasn't the case, MySQL wouldn't have the massive usage share it enjoys, as if you need real SQL then Postgres is much better, and if you don't, you're better served by a non-relational database.

    Thus, instead of reaping the rewards, they flail wildly and merely make MySQL unusable: stop real new features, shut down access to most of bug database, halt any detailed information about security vulnerabilities (providing fixes only as massive new versions, unfit for backporting). Thus, distributions are switching to MariaDB left and right: Debian just did, Fedora did so ages ago.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  15. Ummm, good? by djbckr · · Score: 1

    I know it's fashionable to dump on the Java ecosystem around here. However, given the tools and libraries that are available, I find it incredibly easy to write apps quickly and efficiently. Personally, I've started to use Kotlin and it rocks. Between it and Groovy and the massive wealth of libraries in the Java ecosystem, I haven't found anything else that lets me be as productive.

    That said, some of the frameworks out there just plain suck. My employer is building a Spring/Hibernate Servlet system, and while there are a few things that are kinda cool about Spring, I think it's mostly a clusterf**k of an over-bloated framework. I guess you have to use it when you are communicating with a bunch of disparate systems, but I'm certain that it's killing our team's productivity hugely.

    I've tried Go, and I like it but there is not very much of a community around it, and the database package was designed by morons. I've tried Rust. I think it has potential, but it's really hard to spin up your head around it. And again, not much of a community.

  16. Yay for legacy appliances by heson · · Score: 1

    It is a joy for IT to keep around a bunch of old java client environments to access old printers, NAS, switches, kvm switches, motherboard controllers (iLO etc), blade server management all "conveniently" accessed through a web browser (and requiring an old obsolete java and old insecure java features).