News

Java Watch 4/12/17: CERT Security Warning, Deprecated Object.finalize, Updated Red Hat Tools

• By John K. Waters
• April 12, 2017

Here's a roundup of this week's news and product announcements around Java and Java-related technologies:

• CERT Security Warning
  The computer emergency response team (CERT) issued an advisory warning that several Java implementations of the Action Message Format, third edition (AMF3), are vulnerable to insecure deserialization and XML external entities references. AMF is a binary format used to serialize object graphs, such as ActionScript objects and XML, or to send messages between an Adobe Flash client and a remote service.
  

  The list of potential implementation errors includes: CWE-502: Deserialization of Untrusted Data; CWE-913: Improper Control of Dynamically-Managed Code Resources; and CWE-611: Improper Restriction of XML External Entity Reference ('XXE').

  These flaws make it possible for a remote attacker with the ability to spoof or control a server connection to send serialized Java objects that execute arbitrary code when deserialized. CERT warned developers to be "very suspicious" of deserialized data from an untrusted source in general, and to use the updated versions of the JDK.

• Deprecated Object.finalize
  Oracle has made it clear that it wants to deprecate the Object.finalize method, soon, but it probably won't get around to doing so in the upcoming JDK 9 release.
  
  "Finalizers are inherently problematic and their use can lead to performance issues, deadlocks, hangs, and other problematic behavior," wrot4e Oracle's Roger Riggs a post on the OpenJDK mailing list.

  A finalizer is a regular Java instance method that returns void and takes no arguments. The finalize() method is a protected and non-static method of the java.lang.Object class. The Object.finalize method is used to perform cleanup operations on unmanaged resources held by the current object before the object is destroyed.

  The finalize() method has been around since Java 1.0, but the idea of dropping is not new.

  "The problems have been accumulating for many years and the first step to deprecate Object.finalize and the overrides in the JDK [is] to communicate the issues, recommend alternatives, and motivate changes where finalization is currently used," Riggs wrote.

• Updated Red Hat Tools
  Red Hat announced the beta availability of Red Hat Software Collections 2.4 and Red Hat Developer Toolset 6.1. The company describes its Software Collection as a "curated" set of the latest, stable open source developer languages, tools, and databases delivered on a more frequent cadence than Red Hat Enterprise Linux (RHEL). The Red Hat Developer Toolset is designed to streamline application development on the RHEL platform by providing access to the latest, stable, open-source C and C++ compilers and complementary development and performance profiling tools.

  The list of new languages added to Red Hat Software Collections 2.4 beta includes:

  • Nginx 1.10
  • Node.js v6
  • Ruby 2.4
  • Ruby on Rails 5.0
  • Scala 2.10

  The list of updated runtime languages and databases in the 2.4 beta includes:

  • Apache HTTP Server 2.4
  • Apache Maven 3.3
  • Eclipse 4.6.2
  • Python 2.7
  • Thermostat 1.6

  The list of updated components in the Developer Toolset beta include the latest stable versions of the GNU Compiler Collection (GCC) 6, 6.3.1, and GNU Debugger (GDB). The toolset is accessible across architectures, supported on both RHEL for Power and RHEL for z Systems, and it's available on the RHEL Server for ARM Developer Preview.