OpenJPA 3rd party Serp no longer supported > security risk

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OpenJPA 3rd party Serp no longer supported > security risk

Anneliese Leipold

Hi,

we are using OpenJPA in our product. Checking for security we found that Serp which is a 3rd party component of OpenJPA is no longer supported. This represents a security risk. So how do you address this issue? Do you take over ownership for it? Otherwise – probably not only we - would be forced to replace OpenJPA.

Looking forward to your answer

Best regards,

Anneliese

 

Oracle
ANNELIESE LEIPOLD | Software Development Manager
Phone: <a href="tel:++467216291509">++467216291509
Oracle Agile A9

ORACLE Deutschland B.V. & Co.
KG

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven,
Jan Schultheiss, Val Maher

Green Oracle

Oracle is committed to developing practices and products that help protect the environment

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenJPA 3rd party Serp no longer supported > security risk

Romain Manni-Bucau
Hi Anneliese,

last time we asked and got upgrades in serp when we needed but plan is to use ASM instead of serp for these parts.


Romain Manni-Bucau
@rmannibucau |  Blog | Old BlogGithub | LinkedIn | JavaEE Factory

2017-03-20 10:06 GMT+01:00 Anneliese Leipold <[hidden email]>:

Hi,

we are using OpenJPA in our product. Checking for security we found that Serp which is a 3rd party component of OpenJPA is no longer supported. This represents a security risk. So how do you address this issue? Do you take over ownership for it? Otherwise – probably not only we - would be forced to replace OpenJPA.

Looking forward to your answer

Best regards,

Anneliese

 


ANNELIESE LEIPOLD | Software Development Manager
Phone: <a href="tel:++467216291509" target="_blank">++467216291509
Oracle Agile A9

ORACLE Deutschland B.V. & Co.
KG

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven,
Jan Schultheiss, Val Maher

Oracle is committed to developing practices and products that help protect the environment

 

 


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenJPA 3rd party Serp no longer supported > security risk

J Grassel
Hello.  SERP is more or less a third party library hosted on SourceForge
that is in maintenance mode.  The last activity with SERP were updates to
support Java 8 JVM instruction set additions and constant pool types, and
it is likely that there will be updates to support such new additions to
Java 9 once the Virtual Machine Specification has been finalized and
released.

You speak of security concerns, have you found a security/integrity bug in
the SERP code that needs to be reported and corrected?

On Mon, Mar 20, 2017 at 12:31 PM, Romain Manni-Bucau <[hidden email]>
wrote:

> Hi Anneliese,
>
> last time we asked and got upgrades in serp when we needed but plan is to
> use ASM instead of serp for these parts.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github
> <https://github.com/rmannibucau> | LinkedIn
> <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-03-20 10:06 GMT+01:00 Anneliese Leipold <[hidden email]
> >:
>
>> Hi,
>>
>> we are using OpenJPA in our product. Checking for security we found that
>> Serp which is a 3rd party component of OpenJPA is no longer supported.
>> This represents a security risk. So how do you address this issue? Do you
>> take over ownership for it? Otherwise – probably not only we - would be
>> forced to replace OpenJPA.
>>
>> Looking forward to your answer
>>
>> Best regards,
>>
>> Anneliese
>>
>>
>>
>> [image: Oracle] <http://www.oracle.com/>
>> ANNELIESE LEIPOLD | Software Development Manager
>> Phone: ++467216291509
>> Oracle Agile A9
>>
>> ORACLE Deutschland B.V. & Co. KG
>>
>> ORACLE Deutschland B.V. & Co. KG
>> Hauptverwaltung: Riesstr. 25, D-80992 München
>> Registergericht: Amtsgericht München, HRA 95603
>>
>> Komplementärin: ORACLE Deutschland Verwaltung B.V.
>> Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
>> Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
>> Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher
>>
>> [image: Green Oracle] <http://www.oracle.com/commitment>
>>
>> Oracle is committed to developing practices and products that help
>> protect the environment
>>
>>
>>
>>
>>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenJPA 3rd party Serp no longer supported > security risk

kwsutter
Administrator
Several OpenJPA developers have the ability to update the Serp repository.
And, as Jody pointed out, we have had to do that from time to time for Java
class file format updates.  I would expect that Java 9 would need some
similar updates. Serp has needed very little maintenance over the years.
So I am not understanding the concern....

Kevin

On Mar 20, 2017 11:19, "Jody Grassel" <[hidden email]> wrote:

> Hello.  SERP is more or less a third party library hosted on SourceForge
> that is in maintenance mode.  The last activity with SERP were updates to
> support Java 8 JVM instruction set additions and constant pool types, and
> it is likely that there will be updates to support such new additions to
> Java 9 once the Virtual Machine Specification has been finalized and
> released.
>
> You speak of security concerns, have you found a security/integrity bug in
> the SERP code that needs to be reported and corrected?
>
> On Mon, Mar 20, 2017 at 12:31 PM, Romain Manni-Bucau <
> [hidden email]>
> wrote:
>
> > Hi Anneliese,
> >
> > last time we asked and got upgrades in serp when we needed but plan is to
> > use ASM instead of serp for these parts.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github
> > <https://github.com/rmannibucau> | LinkedIn
> > <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-03-20 10:06 GMT+01:00 Anneliese Leipold <
> [hidden email]
> > >:
> >
> >> Hi,
> >>
> >> we are using OpenJPA in our product. Checking for security we found that
> >> Serp which is a 3rd party component of OpenJPA is no longer supported.
> >> This represents a security risk. So how do you address this issue? Do
> you
> >> take over ownership for it? Otherwise – probably not only we - would be
> >> forced to replace OpenJPA.
> >>
> >> Looking forward to your answer
> >>
> >> Best regards,
> >>
> >> Anneliese
> >>
> >>
> >>
> >> [image: Oracle] <http://www.oracle.com/>
> >> ANNELIESE LEIPOLD | Software Development Manager
> >> Phone: ++467216291509
> >> Oracle Agile A9
> >>
> >> ORACLE Deutschland B.V. & Co. KG
> >>
> >> ORACLE Deutschland B.V. & Co. KG
> >> Hauptverwaltung: Riesstr. 25, D-80992 München
> >> Registergericht: Amtsgericht München, HRA 95603
> >>
> >> Komplementärin: ORACLE Deutschland Verwaltung B.V.
> >> Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
> >> Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
> >> Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher
> >>
> >> [image: Green Oracle] <http://www.oracle.com/commitment>
> >>
> >> Oracle is committed to developing practices and products that help
> >> protect the environment
> >>
> >>
> >>
> >>
> >>
> >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: OpenJPA 3rd party Serp no longer supported > security risk

Anneliese Leipold
In reply to this post by Anneliese Leipold

Hi Romain, Jody, Kevin,

thanks a lot for your feedback.

The concerns we have are that the last update of Serp dates back to October 2014 and that we tried to contact the email which is on the sourceforge site and got a rejected mail delivery message. But we are not hosting the Serp source and have not checked for security issues on it.

@Kevin: Do I understand you right that Serp OpenJPA developers are checking Serp for security issues? And that you would or already did – in case of need - deliver a bug fixed Serp version together with OpenJPA?

Best regards,

Anneliese

 

 

 

Several OpenJPA developers have the ability to update the Serp repository.

And, as Jody pointed out, we have had to do that from time to time for Java

class file format updates.  I would expect that Java 9 would need some

similar updates. Serp has needed very little maintenance over the years.

So I am not understanding the concern....

 

Kevin

 

On Mar 20, 2017 11:19, "Jody Grassel" <[hidden email]> wrote:

 

> Hello.  SERP is more or less a third party library hosted on SourceForge

> that is in maintenance mode.  The last activity with SERP were updates to

> support Java 8 JVM instruction set additions and constant pool types, and

> it is likely that there will be updates to support such new additions to

> Java 9 once the Virtual Machine Specification has been finalized and

> released.

> 

> You speak of security concerns, have you found a security/integrity bug in

> the SERP code that needs to be reported and corrected?

> 

> On Mon, Mar 20, 2017 at 12:31 PM, Romain Manni-Bucau <

> [hidden email]>

> wrote:

> 

> > Hi Anneliese,

> >

> > last time we asked and got upgrades in serp when we needed but plan is to

> > use ASM instead of serp for these parts.

> >

> >

> > Romain Manni-Bucau

> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog

> > <https://blog-rmannibucau.rhcloud.com> | Old Blog

> > <http://rmannibucau.wordpress.com> | Github

> > <https://github.com/rmannibucau> | LinkedIn

> > <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory

> > <https://javaeefactory-rmannibucau.rhcloud.com>

> >

> > 2017-03-20 10:06 GMT+01:00 Anneliese Leipold <

> [hidden email]

> > >:

> >

> >> Hi,

> >>

> >> we are using OpenJPA in our product. Checking for security we found that

> >> Serp which is a 3rd party component of OpenJPA is no longer supported.

> >> This represents a security risk. So how do you address this issue? Do

> you

> >> take over ownership for it? Otherwise – probably not only we - would be

> >> forced to replace OpenJPA.

> >>

> >> Looking forward to your answer

> >>

> >> Best regards,

> >>

> >> Anneliese

> >>

> >>

> >>

> >> [image: Oracle] <http://www.oracle.com/>

> >> ANNELIESE LEIPOLD | Software Development Manager

> >> Phone: ++467216291509

> >> Oracle Agile A9

> >>

> >> ORACLE Deutschland B.V. & Co. KG

> >>

> >> ORACLE Deutschland B.V. & Co. KG

> >> Hauptverwaltung: Riesstr. 25, D-80992 München

> >> Registergericht: Amtsgericht München, HRA 95603

> >>

> >> Komplementärin: ORACLE Deutschland Verwaltung B.V.

> >> Hertogswetering 163/167, 3543 AS Utrecht, Niederlande

> >> Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697

> >> Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher

> >>

> >> [image: Green Oracle] <http://www.oracle.com/commitment>

> >>

> >> Oracle is committed to developing practices and products that help

> >> protect the environment

> >>

> >>

 

 

 

From: Anneliese Leipold
Sent: Monday, March 20, 2017 10:06 AM
To: [hidden email]
Subject: OpenJPA 3rd party Serp no longer supported > security risk

 

Hi,

we are using OpenJPA in our product. Checking for security we found that Serp which is a 3rd party component of OpenJPA is no longer supported. This represents a security risk. So how do you address this issue? Do you take over ownership for it? Otherwise – probably not only we - would be forced to replace OpenJPA.

Looking forward to your answer

Best regards,

Anneliese

 

Oracle
ANNELIESE LEIPOLD | Software Development Manager
Phone: <a href="tel:++467216291509">++467216291509
Oracle Agile A9

ORACLE Deutschland B.V. & Co.
KG

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher

Green Oracle

Oracle is committed to developing practices and products that help protect the environment

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenJPA 3rd party Serp no longer supported > security risk

kwsutter
Administrator
Anneliese,
Since Serp is part of the OpenJPA deliverable, any security risks detected via OpenJPA would be properly addressed -- whether the risk was in OpenJPA, Serp, or any other dependent library.  So far, we are not aware of any past, present, or future security risks associated with Serp.  We have corrected other security risks in OpenJPA proper in the past.  Hope this helps.

Thanks,
Kevin

On Tue, Mar 28, 2017 at 5:11 AM, Anneliese Leipold <[hidden email]> wrote:

Hi Romain, Jody, Kevin,

thanks a lot for your feedback.

The concerns we have are that the last update of Serp dates back to October 2014 and that we tried to contact the email which is on the sourceforge site and got a rejected mail delivery message. But we are not hosting the Serp source and have not checked for security issues on it.

@Kevin: Do I understand you right that Serp OpenJPA developers are checking Serp for security issues? And that you would or already did – in case of need - deliver a bug fixed Serp version together with OpenJPA?

Best regards,

Anneliese

 

 

 

Several OpenJPA developers have the ability to update the Serp repository.

And, as Jody pointed out, we have had to do that from time to time for Java

class file format updates.  I would expect that Java 9 would need some

similar updates. Serp has needed very little maintenance over the years.

So I am not understanding the concern....

 

Kevin

 

On Mar 20, 2017 11:19, "Jody Grassel" <[hidden email]> wrote:

 

> Hello.  SERP is more or less a third party library hosted on SourceForge

> that is in maintenance mode.  The last activity with SERP were updates to

> support Java 8 JVM instruction set additions and constant pool types, and

> it is likely that there will be updates to support such new additions to

> Java 9 once the Virtual Machine Specification has been finalized and

> released.

> 

> You speak of security concerns, have you found a security/integrity bug in

> the SERP code that needs to be reported and corrected?

> 

> On Mon, Mar 20, 2017 at 12:31 PM, Romain Manni-Bucau <

> [hidden email]>

> wrote:

> 

> > Hi Anneliese,

> >

> > last time we asked and got upgrades in serp when we needed but plan is to

> > use ASM instead of serp for these parts.

> >

> >

> > Romain Manni-Bucau

> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog

> > <https://blog-rmannibucau.rhcloud.com> | Old Blog

> > <http://rmannibucau.wordpress.com> | Github

> > <https://github.com/rmannibucau> | LinkedIn

> > <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory

> > <https://javaeefactory-rmannibucau.rhcloud.com>

> >

> > 2017-03-20 10:06 GMT+01:00 Anneliese Leipold <

> [hidden email]

> > >:

> >

> >> Hi,

> >>

> >> we are using OpenJPA in our product. Checking for security we found that

> >> Serp which is a 3rd party component of OpenJPA is no longer supported.

> >> This represents a security risk. So how do you address this issue? Do

> you

> >> take over ownership for it? Otherwise – probably not only we - would be

> >> forced to replace OpenJPA.

> >>

> >> Looking forward to your answer

> >>

> >> Best regards,

> >>

> >> Anneliese

> >>

> >>

> >>

> >> [image: Oracle] <http://www.oracle.com/>

> >> ANNELIESE LEIPOLD | Software Development Manager

> >> Phone: ++467216291509

> >> Oracle Agile A9

> >>

> >> ORACLE Deutschland B.V. & Co. KG

> >>

> >> ORACLE Deutschland B.V. & Co. KG

> >> Hauptverwaltung: Riesstr. 25, D-80992 München

> >> Registergericht: Amtsgericht München, HRA 95603

> >>

> >> Komplementärin: ORACLE Deutschland Verwaltung B.V.

> >> Hertogswetering 163/167, 3543 AS Utrecht, Niederlande

> >> Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697

> >> Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher

> >>

> >> [image: Green Oracle] <http://www.oracle.com/commitment>

> >>

> >> Oracle is committed to developing practices and products that help

> >> protect the environment

> >>

> >>

 

 

 

From: Anneliese Leipold
Sent: Monday, March 20, 2017 10:06 AM
To: [hidden email]
Subject: OpenJPA 3rd party Serp no longer supported > security risk

 

Hi,

we are using OpenJPA in our product. Checking for security we found that Serp which is a 3rd party component of OpenJPA is no longer supported. This represents a security risk. So how do you address this issue? Do you take over ownership for it? Otherwise – probably not only we - would be forced to replace OpenJPA.

Looking forward to your answer

Best regards,

Anneliese

 


ANNELIESE LEIPOLD | Software Development Manager
Phone: <a href="tel:++467216291509" target="_blank">++467216291509
Oracle Agile A9

ORACLE Deutschland B.V. & Co.
KG

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher

Oracle is committed to developing practices and products that help protect the environment

 

 


Loading...