Highly demand -- updates - security concerns

[weblike]

Hi,
Probably I'm not the only one which is concerned regarding updating sections of the system for security reasons: Tomcat, JDK, ActieMQ, etc.

1. How many of you are using Rennurs resources? https://github.com/RennurApps/AwareIM-resources
I have replaced Tomcat with newer one, but users complained about freezing windows, slow speed.
2. JDK 8 will stop receiving updates after 1st January 2019

Support, please advice how we can protect our Aware applications in the best way possible.

Thank you

[Rennur]

Outdated components pose a huge security risk but it does not seem to be given high priority.
Outdated ActiveMQ is one such component that has has many potential security issues.

Aware IM is not compatible with latest releases due to a config change in version 5.12.2, a change due to a security vulnerability which is not addressed by the support team.

[intra]

Before I go into my views surrounding this topic, I hope that anyone reading it to assume it as constructive instead of a dig at the product (AwareIM).

AwareIM is an amazing piece of software, like all software it does contain bugs that are unforeseen and as IT aware individuals providing solutions to individuals/organisations we need to have a level of awareness (pun not intended) regarding basic security and architecture to protect our solutions created with AwareIM.

General Data Protection Regulation (GDPR), Office of the Australian Information Commissioner (OAIC), Local data privacy laws and internal business policies are not going to make life any easier; especially to the IT developer who provides solutions designed with AwareIM.

Most external security audits and local IT departments will look at both external/internal security (firewalls , networks isolation , security certificates, ACL , auditing) and component level software versions as a starting point.

I would like to suggest the following as it might help.

Releases:

Emergency release [Anytime – Out of band]– Critical product update to address potential/imminent vulnerability (any component, script, feature that makes up AwareIM).

Major release [Once a year]– New features and updates that can be rolled together.

Minor release [Twice a year] – Component level updates (DB connectors, Tomcat, ActiveMQ, Kendo, Eclipse et al).

Bug fixes [Anytime] – Updates to existing functions that are broken, scripts and engine related issues.

Secretly a forth class of update…

Special dooper, some CEO paid for this at an exorbitant rate over $25k and we get free beers at conference and free stuff! - [Anytime]

Obviously this will not keep everyone happy, however I think its a good balance between ensuring problems get addressed and security moves in the right direction.

Now, its all good being a stealthy poster and leaving AwareIM team to do all the leg work.

I’d like to donate some time to help move AwareIM if they wish to consider moving towards this model, maybe we should make it a community effort to keep licensing overheads low?

[aware_support]

Do you have any specific security concerns? If so, please explain in detail what they are.

Providing a blanket statement about "using old versions of the software" do not help. You need to specifically point out a vulnerability and how it can be reproduced (if there is any). If some piece of software used in Aware IM have an alleged vulnerability it doesn't automatically mean that Aware IM has a security vulnerability as well. A lot depends on how this piece of software is used.

For example, I cannot see how any vulnerabilities in Active MQ can be a problem for Aware IM, since ActiveMQ is not exposed directly to any potential hacker.

Vulnerabilities in Tomcat could be a problem, but our last release (8.1) used the most up-to-date version of Tomcat available at the time, so it should be quite secure.

We do try to keep up-to-date with Java versions, but again there are no security issues in Aware IM that we know of that are due to Java version being used.

[Rennur]

The concern is not with Aware IM software itself as a product. There are no security issues with Aware IM and like intra said, it's not dig at the product at all.

Many of the third-party components packaged in Aware IM are managed, patched and improved by their respected owners who have identified vulnerabilities, performance issues and other changes.

It's not about a specific threat (if any), it is simply a preventive measure for the components to be up to date. Most can be manually replaced by the new versions anyway (such as Tomcat, JDK, Conncetor/J, Apache components) but some can't.

For example there are 13 critical bugs identified in ActiveMQ version 5.8.0 that is likely to impact the running of the server as a whole.
ActiveMQ Bugs

[aware_support]

Code: Select all

For example there are 13 critical bugs identified in ActiveMQ version 5.8.0 that is likely to impact the running of the server as a whole. 

We are selling Aware IM, not Active MQ

The fact that Active MQ has 13 bugs doesn't mean that these bugs are triggered by Aware IM. If they were we would have had a bug report about Aware IM malfunctioning.

[Rennur]

The fact that Active MQ has 13 bugs doesn't mean that these bugs are triggered by Aware IM.

I never said or implied that.

We are selling Aware IM, not Active MQ

By the same faulty logic :
We're not selling NBN, our system runs fine on ADSL.
Who needs 5G, 3G does not trigger any bugs in our system.

[Jaymer]

HOLY CRAP
I just noticed this...
Rennur's name is actually MARIO?
I thought Rennur was his name. Mind blown!

Screen Shot 2018-08-16 at 11.25.57 AM.png (13.77 KiB) Viewed 25276 times

[BenHayat]

HOLY CRAP
I just noticed this...
Rennur's name is actually MARIO?
I thought Rennur was his name. Mind blown!

So???
What's wrong with the name "Mario"? Very popular name.
Some use different names that relate to product name or website or other things.

[mrbdrm]

your talking as there is a major issue with awareim security.
there isn't any issue that i know. and i tested my app many times with different methods and tools
support is right. other software issues doesn't impact awareim security. the end user have no direct access to them.
so relax, and don't think every update is necessary. if it is then support will update.

[Rennur]

LOL. I bet you didn't even read the posts or try to understand what is actually being said.

[mrbdrm]

LOL. I bet you didn't even read the posts or try to understand what is actually being said.

sorry captain update
im not going to bother you again.

[johntalbott]

... i tested my app many times with different methods and tools

This info would be very helpful. Can you share your test methods, tools, and results?

[weblike]

Saying above...
Please understand that my intention was not saying anything bad about Aware.
We are leaving in a "secure" world and all the systems are exposed to some bad minds(hackers), too many unfortunately.
I sell wordpress websites NOT PHP.
PHP randomly comes with updates(security or not) and wordpress core recommends to update to latest PHP versions mostly all the time.

P.S. Rennur, I really appreciate your sustain in this thread and your effort keeping the specs on github about updating parts of the system....Support should appreciate this, too.

[johntalbott]

P.S. Rennur, I really appreciate your sustain in this thread and your effort keeping the specs on github about updating parts of the system....Support should appreciate this, too.

Agreed. Great work Mario.