commons-fileupload 1.3.3 resolves deserialisation vulnerability CVE-2016-1000031

CVE-2016-1000031 is a vulnerabilty in the extremely widely used Apache Commons library commons-fileupload – you might not even know you’re having it on your class path. It has a very nasty Remote Code Execution vulnerability with easy to use exploits publicly available up to version 1.3.2. What makes it even worse is that you do not even need to use the library – you only need to have it on your class path and to deserialise some data. The data is the attack vector. You can find a good in detail explanation of the vulnerability here.

It did take a while but with version 1.3.3 this vulnerability is finally closed (by default).

There is some stuff that you should know about the fix though:

Continue reading

The lightweightness of microservices – Comparing Spring Boot, WildFly Swarm, and Haskell Snap

A microservice is an autonomous sub application for a strictly defined and preferably small domain. An application built from microservices is scalable, resilient, and flexible. At least, if the services and their infrastructure are well designed. One requirement on the used frameworks to achieve scalability and resilience is that they are lightweight. Lightweightness comes in different flavors. Microservices should be stopped and started fastly, and should consume few resources. The development and maintenance of microservices should be easy.

For this reason, in the Java world, Spring Boot is currently recommended as best choice regarding these requirements. Traditional Java EE application servers are too heavyweight, because they are not developed as basis for single services but as platform for running different applications simultaneously. Thus, they must be bloated.

Being a curious person I used some of my spare time in the last Christmas holidays to actually measure the lightweightness. First I chose Spring Boot and WildFly as “competitors”. I added WildFly Swarm which provides similar features as Spring Boot but is based on WildFly. Then looking at the requirements I decided to include a framework with a real small startup time in comparison to Java-based frameworks and chose Snap based an Haskell. For every framework I built a minimal micro service, wrapped it into a Docker container, and measured its weight.

Continue reading

Don’t get trapped into a memory leak using CDI Instance Injection

In one of our recent projects we have encountered some memory leaks using standard JavaEE technologies like CDI and EJBs. Our application in question does a lot of communication using JMS as a transportation layer. To be able to handle different message types dynamically we have used the Instance Injection of CDI. Using that approach with CDI might get your trapped into some memory leak problems like we did, so we would like to share our experiences and what you can do about it.

Continue reading

Camunda BPM: Test your processes based on plain old java delegates

Motivation

Testing your processes is an important tasks to ensure and validate your expected behaviour of your application. An introduction how to do a proper test automation in process applications can be found the following camunda webinar: https://network.camunda.org/webinars/24

A normal approach for testing your processes is to have your actual service implementation mocked or swapped completely to your own implementation for testing purposes. For CDI based java delegates this is an easy task to do within the camunda BPM test environment.

But if your project does not allow you to rely on your favourite CDI or Spring based environment you have to configure your java delegates for service tasks via class name binding. Unfortunately there seems not to be an out of the box approach to test that kind of configuration easily.

Will will show you how to get use of the great extensibility of the camunda BPM engine to have plain java delegates mocked as easy as their CDI/Spring counterparts.

Continue reading

Red Hat JBoss Middleware: A technology stack for IoT-Applications

JBoss EAP 7 and ActiveMQ Artemis as connector between temperature and humidity and the application architecture

Most IoT-Applications face similar challenges on its way from sensor to final aggregation in terms of usage and, where applicable relaying of data. In this article, we introduce an architecture based on the new Red Hat JBoss Enterprise Application Platform (JBoss EAP) in Version 7 to outline a IoT application as a showcase.

MQTT has certainly become a standard protocol for IoT and in this context the Internet of Things is integrated via MQTT.

One new major update of JBoss EAP 7 is ActiveMQ Artemis as Messaging Broker with support for MQTT as transport protocol. JBoss EAP 7 is our preferred technology, i.a. for IoT architectures because of its outstanding technological capabilities thus facilitating efficient development of scalable and secure applications.

A combined temperature and humidity sensor, the Bosch XDK, and Harting’s Mica Box are used to supply data. It is the MQTT and the JBoss EAP 7 Middleware that connect and build a bridge between this sensor setup and the rest of the world.

Continue reading

Red Hat JBoss Enterprise Application Platform 7 (JBoss EAP 7) – final release

A few days ago, Red Hat released the major version 7 of the open source Java EE application server, Red Hat JBoss Enterprise Application Platform (JBoss EAP).

Red Hat JBoss Enterprise Application Platform (JBoss EAP) is the supported and quality assured version of the WildFly application server from the JBoss community.

jboss-eap-wildfly-upstream-history

The JBoss EAP 7 is based on the version 10 of the WildFly application server. In 2013 Red Hat renamed the JBoss AS community project to WildFly to avoid confusion with the JBoss brand which referred to several different things at once, the application server, the JBoss Community, and a range of other JBoss Products.

The main improvements and highlights of the JBoss EAP 7 release

This article focuses on the following main improvements and highlights of the new major release of the JBoss EAP 7:

  • implementation of the new specifications of the Java Enterprise Edition 7
  • enhanced modularity
  • management improvements
  • component updates
  • compatibility and interoperability

Continue reading

Getting started with ELK and JBoss EAP6

In this post we will describe what is needed to get started with managing your EAP 6 logs with ElasticSearch, Logstash and Kibana. There are several reasons why you would want to collect your logging output in a central place.

  • Aggregate (output from multiple applications / hosts)
  • Correlate events in different systems
  • Analyze (more than grep)
  • Backup
  • Integrate into monitoring
  • Gather statistics

A common solution that supports all this use cases is provided by the ELK stack. It consists of ElasticSearch (ES), Logstash and Kibana. ElasticSearch provides persistence and analytics, Logstash provides the pipeline that brings your Logs into ES and Kibana provides a GUI for querying and dashboards.

Continue reading