Hi,
Probably I'm not the only one which is concerned regarding updating sections of the system for security reasons: Tomcat, JDK, ActieMQ, etc.
1. How many of you are using Rennurs resources? https://github.com/RennurApps/AwareIM-resources
I have replaced Tomcat with newer one, but users complained about freezing windows, slow speed.
2. JDK 8 will stop receiving updates after 1st January 2019
Support, please advice how we can protect our Aware applications in the best way possible.
Thank you
Highly demand -- updates - security concerns
Highly demand -- updates - security concerns
Thx,
George
________________________________
Developer Edition
AwareIM: v8.5, build 2824
OS: Windows Server 2012
DB: MySql 5.6.42
George
________________________________
Developer Edition
AwareIM: v8.5, build 2824
OS: Windows Server 2012
DB: MySql 5.6.42
Re: Highly demand -- updates - security concerns
Outdated components pose a huge security risk but it does not seem to be given high priority.
Outdated ActiveMQ is one such component that has has many potential security issues.
Aware IM is not compatible with latest releases due to a config change in version 5.12.2, a change due to a security vulnerability which is not addressed by the support team.
Outdated ActiveMQ is one such component that has has many potential security issues.
Aware IM is not compatible with latest releases due to a config change in version 5.12.2, a change due to a security vulnerability which is not addressed by the support team.
Last edited by Rennur on Wed Aug 15, 2018 7:09 am, edited 1 time in total.
Re: Highly demand -- updates - security concerns
Before I go into my views surrounding this topic, I hope that anyone reading it to assume it as constructive instead of a dig at the product (AwareIM).
AwareIM is an amazing piece of software, like all software it does contain bugs that are unforeseen and as IT aware individuals providing solutions to individuals/organisations we need to have a level of awareness (pun not intended) regarding basic security and architecture to protect our solutions created with AwareIM.
General Data Protection Regulation (GDPR), Office of the Australian Information Commissioner (OAIC), Local data privacy laws and internal business policies are not going to make life any easier; especially to the IT developer who provides solutions designed with AwareIM.
Most external security audits and local IT departments will look at both external/internal security (firewalls , networks isolation , security certificates, ACL , auditing) and component level software versions as a starting point.
I would like to suggest the following as it might help.
Releases:
Emergency release [Anytime – Out of band]– Critical product update to address potential/imminent vulnerability (any component, script, feature that makes up AwareIM).
Major release [Once a year]– New features and updates that can be rolled together.
Minor release [Twice a year] – Component level updates (DB connectors, Tomcat, ActiveMQ, Kendo, Eclipse et al).
Bug fixes [Anytime] – Updates to existing functions that are broken, scripts and engine related issues.
Secretly a forth class of update…
Special dooper, some CEO paid for this at an exorbitant rate over $25k and we get free beers at conference and free stuff! - [Anytime]
Obviously this will not keep everyone happy, however I think its a good balance between ensuring problems get addressed and security moves in the right direction.
Now, its all good being a stealthy poster and leaving AwareIM team to do all the leg work.
I’d like to donate some time to help move AwareIM if they wish to consider moving towards this model, maybe we should make it a community effort to keep licensing overheads low?
AwareIM is an amazing piece of software, like all software it does contain bugs that are unforeseen and as IT aware individuals providing solutions to individuals/organisations we need to have a level of awareness (pun not intended) regarding basic security and architecture to protect our solutions created with AwareIM.
General Data Protection Regulation (GDPR), Office of the Australian Information Commissioner (OAIC), Local data privacy laws and internal business policies are not going to make life any easier; especially to the IT developer who provides solutions designed with AwareIM.
Most external security audits and local IT departments will look at both external/internal security (firewalls , networks isolation , security certificates, ACL , auditing) and component level software versions as a starting point.
I would like to suggest the following as it might help.
Releases:
Emergency release [Anytime – Out of band]– Critical product update to address potential/imminent vulnerability (any component, script, feature that makes up AwareIM).
Major release [Once a year]– New features and updates that can be rolled together.
Minor release [Twice a year] – Component level updates (DB connectors, Tomcat, ActiveMQ, Kendo, Eclipse et al).
Bug fixes [Anytime] – Updates to existing functions that are broken, scripts and engine related issues.
Secretly a forth class of update…
Special dooper, some CEO paid for this at an exorbitant rate over $25k and we get free beers at conference and free stuff! - [Anytime]
Obviously this will not keep everyone happy, however I think its a good balance between ensuring problems get addressed and security moves in the right direction.
Now, its all good being a stealthy poster and leaving AwareIM team to do all the leg work.
I’d like to donate some time to help move AwareIM if they wish to consider moving towards this model, maybe we should make it a community effort to keep licensing overheads low?
Avid Linux user....
-
- Posts: 7525
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Re: Highly demand -- updates - security concerns
Do you have any specific security concerns? If so, please explain in detail what they are.
Providing a blanket statement about "using old versions of the software" do not help. You need to specifically point out a vulnerability and how it can be reproduced (if there is any). If some piece of software used in Aware IM have an alleged vulnerability it doesn't automatically mean that Aware IM has a security vulnerability as well. A lot depends on how this piece of software is used.
For example, I cannot see how any vulnerabilities in Active MQ can be a problem for Aware IM, since ActiveMQ is not exposed directly to any potential hacker.
Vulnerabilities in Tomcat could be a problem, but our last release (8.1) used the most up-to-date version of Tomcat available at the time, so it should be quite secure.
We do try to keep up-to-date with Java versions, but again there are no security issues in Aware IM that we know of that are due to Java version being used.
Providing a blanket statement about "using old versions of the software" do not help. You need to specifically point out a vulnerability and how it can be reproduced (if there is any). If some piece of software used in Aware IM have an alleged vulnerability it doesn't automatically mean that Aware IM has a security vulnerability as well. A lot depends on how this piece of software is used.
For example, I cannot see how any vulnerabilities in Active MQ can be a problem for Aware IM, since ActiveMQ is not exposed directly to any potential hacker.
Vulnerabilities in Tomcat could be a problem, but our last release (8.1) used the most up-to-date version of Tomcat available at the time, so it should be quite secure.
We do try to keep up-to-date with Java versions, but again there are no security issues in Aware IM that we know of that are due to Java version being used.
Aware IM Support Team
Re: Highly demand -- updates - security concerns
The concern is not with Aware IM software itself as a product. There are no security issues with Aware IM and like intra said, it's not dig at the product at all.
Many of the third-party components packaged in Aware IM are managed, patched and improved by their respected owners who have identified vulnerabilities, performance issues and other changes.
It's not about a specific threat (if any), it is simply a preventive measure for the components to be up to date. Most can be manually replaced by the new versions anyway (such as Tomcat, JDK, Conncetor/J, Apache components) but some can't.
For example there are 13 critical bugs identified in ActiveMQ version 5.8.0 that is likely to impact the running of the server as a whole.
ActiveMQ Bugs
Many of the third-party components packaged in Aware IM are managed, patched and improved by their respected owners who have identified vulnerabilities, performance issues and other changes.
It's not about a specific threat (if any), it is simply a preventive measure for the components to be up to date. Most can be manually replaced by the new versions anyway (such as Tomcat, JDK, Conncetor/J, Apache components) but some can't.
For example there are 13 critical bugs identified in ActiveMQ version 5.8.0 that is likely to impact the running of the server as a whole.
ActiveMQ Bugs
-
- Posts: 7525
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Re: Highly demand -- updates - security concerns
Code: Select all
For example there are 13 critical bugs identified in ActiveMQ version 5.8.0 that is likely to impact the running of the server as a whole.
The fact that Active MQ has 13 bugs doesn't mean that these bugs are triggered by Aware IM. If they were we would have had a bug report about Aware IM malfunctioning.
Aware IM Support Team
Re: Highly demand -- updates - security concerns
I never said or implied that.The fact that Active MQ has 13 bugs doesn't mean that these bugs are triggered by Aware IM.
By the same faulty logic :We are selling Aware IM, not Active MQ
We're not selling NBN, our system runs fine on ADSL.
Who needs 5G, 3G does not trigger any bugs in our system.
Re: Highly demand -- updates - security concerns
HOLY CRAP
I just noticed this...
Rennur's name is actually MARIO?
I thought Rennur was his name. Mind blown!
I just noticed this...
Rennur's name is actually MARIO?
I thought Rennur was his name. Mind blown!
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: Highly demand -- updates - security concerns
So???Jaymer wrote:HOLY CRAP
I just noticed this...
Rennur's name is actually MARIO?
I thought Rennur was his name. Mind blown!
What's wrong with the name "Mario"? Very popular name.
Some use different names that relate to product name or website or other things.
Last edited by BenHayat on Sun Aug 19, 2018 3:45 pm, edited 1 time in total.
Re: Highly demand -- updates - security concerns
your talking as there is a major issue with awareim security.
there isn't any issue that i know. and i tested my app many times with different methods and tools
support is right. other software issues doesn't impact awareim security. the end user have no direct access to them.
so relax, and don't think every update is necessary. if it is then support will update.
there isn't any issue that i know. and i tested my app many times with different methods and tools
support is right. other software issues doesn't impact awareim security. the end user have no direct access to them.
so relax, and don't think every update is necessary. if it is then support will update.
Re: Highly demand -- updates - security concerns
LOL. I bet you didn't even read the posts or try to understand what is actually being said.
Re: Highly demand -- updates - security concerns
sorry captain updateRennur wrote:LOL. I bet you didn't even read the posts or try to understand what is actually being said.
im not going to bother you again.
-
- Posts: 619
- Joined: Wed Jun 17, 2015 11:16 pm
- Location: Omaha, Nebraska
- Contact:
Re: Highly demand -- updates - security concerns
This info would be very helpful. Can you share your test methods, tools, and results?mrbdrm wrote:... i tested my app many times with different methods and tools
VocalDay Solutions - Agility - Predictability - Quality
We specialize in enabling business through the innovative use of technology.
AwareIM app with beautiful UI/UX - https://screencast-o-matic.com/watch/crfUrrVeB3t
We specialize in enabling business through the innovative use of technology.
AwareIM app with beautiful UI/UX - https://screencast-o-matic.com/watch/crfUrrVeB3t
Re: Highly demand -- updates - security concerns
Saying above...
Please understand that my intention was not saying anything bad about Aware.
We are leaving in a "secure" world and all the systems are exposed to some bad minds(hackers), too many unfortunately.
I sell wordpress websites NOT PHP.
PHP randomly comes with updates(security or not) and wordpress core recommends to update to latest PHP versions mostly all the time.
P.S. Rennur, I really appreciate your sustain in this thread and your effort keeping the specs on github about updating parts of the system....Support should appreciate this, too.
Please understand that my intention was not saying anything bad about Aware.
We are leaving in a "secure" world and all the systems are exposed to some bad minds(hackers), too many unfortunately.
I sell wordpress websites NOT PHP.
PHP randomly comes with updates(security or not) and wordpress core recommends to update to latest PHP versions mostly all the time.
P.S. Rennur, I really appreciate your sustain in this thread and your effort keeping the specs on github about updating parts of the system....Support should appreciate this, too.
Thx,
George
________________________________
Developer Edition
AwareIM: v8.5, build 2824
OS: Windows Server 2012
DB: MySql 5.6.42
George
________________________________
Developer Edition
AwareIM: v8.5, build 2824
OS: Windows Server 2012
DB: MySql 5.6.42
-
- Posts: 619
- Joined: Wed Jun 17, 2015 11:16 pm
- Location: Omaha, Nebraska
- Contact:
Re: Highly demand -- updates - security concerns
Agreed. Great work Mario.weblike wrote: P.S. Rennur, I really appreciate your sustain in this thread and your effort keeping the specs on github about updating parts of the system....Support should appreciate this, too.
VocalDay Solutions - Agility - Predictability - Quality
We specialize in enabling business through the innovative use of technology.
AwareIM app with beautiful UI/UX - https://screencast-o-matic.com/watch/crfUrrVeB3t
We specialize in enabling business through the innovative use of technology.
AwareIM app with beautiful UI/UX - https://screencast-o-matic.com/watch/crfUrrVeB3t