commons-fileupload 1.3.3 resolves deserialisation vulnerability CVE-2016-1000031

CVE-2016-1000031 is a vulnerabilty in the extremely widely used Apache Commons library commons-fileupload – you might not even know you’re having it on your class path. It has a very nasty Remote Code Execution vulnerability with easy to use exploits publicly available up to version 1.3.2. What makes it even worse is that you do not even need to use the library – you only need to have it on your class path and to deserialise some data. The data is the attack vector. You can find a good in detail explanation of the vulnerability here.

It did take a while but with version 1.3.3 this vulnerability is finally closed (by default).

There is some stuff that you should know about the fix though:

Continue reading

Integration of JBake in Maven – Static Websites

JBake is a “Java based, open source, static site generator” (http://jbake.org/, on github https://github.com/jbake-org/jbake). It is a great choice if you want to create static HTML websites. No slow loading of dynamic content anymore. Additionally, if a site is created on load by JavaScript, issues with indexing and search engine optimization/SEO might occur. This is not a problem with static sites. At the same time different template engines like FreeMarker (http://freemarker.org/) help you modularize the website. You only have to define menu and footer once and they will be inserted automatically.

JBake was perfect for us to create a microsite with 15 different pages and lots of reappearing elements. We integrated JBake into Maven to create a comfortable release process. To do this we used the plug-in jbake-maven-plugin (https://github.com/ingenieux/jbake-maven-plugin). This sample project shows the fundamental integration: https://github.com/ingenieux/jbake-sample.

Continue reading

JGroups & Cloud issues when clustering the EAP 6 – AS 7

As announced this is the last post of our series about clustering of the Redhat EAP 6 and JBoss AS 7. The other posts of this series were

Overview

This post will dig deeper into the clustering mechanisms of the EAP 6 and JBoss AS 7. We will show different solutions to multicast problems you will get in most cloud networks as well as some other networks. Infinispan uses JGroups to do its cluster communication. Cluster communication here means multiple things: finding other cluster nodes, providing a reliable transfer, implementing multicast communication even if there is no IP multicast available, identifying dead cluster nodes and a little bit more. In fact JGroups is able to do a lot more but Infinispan does not need all of the opportunities JGroups offers. The upcoming HornetQ version 2.3 which will be included in the EAP 6.1 will use JGroups for server discovery too. This post will explain the basic principles of JGroups and how to configure it in different network setups, especially most cloud networks.

Continue reading

Scalable HA Clustering with JBoss AS 7 / EAP 6

Overview

In a recent blog-post Clustering in JBoss AS7/EAP 6 we showed how basic clustering in the new EAP 6 and JBoss AS 7 can be used. The EAP 6 is basically an AS 7 with official RedHat-support. Our cluster we described in that post was small and simple. This post will cover much more complex cluster structures, how to build them and how we can utilize the new domain-mode for our clusters. There are multiple ways to build and manage bigger JBoss cluster environments. We will describe two ways to do so: One using separating techniques also applicable to older JBoss versions and the other way using an Infinispan feature called distribution.

Scalability vs. Availability

The main challenge when building a cluster is to make it both highly available and scalable.

Availability for a cluster means: If one node fails, all the sessions on that node will be seamlessly served by another node. This can be achieved through session-replication. Session-replication is preconfigured and enabled in the ha profile in the domain.xml. Flat replication means that all sessions are copied to all other nodes: If you have got four nodes with 1GB memory for each of them, your cluster can only use 1GB of memory because basically all nodes store copies from each other. I. e. your cluster will not have 4*1GB=4GB memory. If you would add more nodes to this cluster you would not get more memory, you will even lose some memory due to overhead for replication. But you will get more availability and more important more network traffic due to replication overhead (all changes need to be redistributed to all other nodes). Let us call this cluster topology full-replication.
Continue reading