Supported Java Versions for grylog


(Ron) #1

Hi we have an older version of graylog installled (graylog-web-interface v1.2.2 (91c7822) ) . would anyone know what the lastest supported version of java is?

Also in the latest version is java deserialization mitigated in any way?

Thanks
-Ron


(Jan Doberstein) #2

what do you mean by supported?

Supported by this historical Graylog version or supported by Oracle?


(Ron) #3

Supported by Graylog. The reason I am asking is because we just went through a security audit one item that popped up was Java Deserialization and the only reason we have Java installed is for Graylog. I was also wondering if in later versions of graylog is Java Serialization mitigates


(Jan Doberstein) #4

We do not have a ready to use list for your question to answer and you must investigate a little on your own.

In the Documentation, you can switch between the version in the lower left corner - then in the installation requirements is always written what java version this specific release supports.


(Tess) #5

Mind you: Java deserialization attacks are not just limited to old versions of Java. Sure, security updates and patches have fixed a lot of problems the past few years, but that does not mean that newer versions of Java are not susceptible. It is always an interplay between the programming language (Java) and the application (Graylog). If the application’s programmer makes mistakes, the language can’t always protect you.

In that regard, it would certainly serve you well to update Graylog (and Elastic, and Mongo, and the OS, and Java, etc. etc.). I mean, how old is version 1.2.2? :wink:

EDIT:
I looked up the release page for 1.2.2. @jan, I feel it’s a bit… what’s the word? In Dutch we’d say “onhandig”, “unbeholfen” in German, that the Graylog blog does not include a post date :slight_smile:

EDIT:
I thought the original article I linked to about too High Magic™, so here’s what OWASP have to say about it.


(Jan Doberstein) #6

I looked up the release page for 1.2.2. @jan, I feel it’s a bit… what’s the word? In Dutch we’d say “ onhandig ”, “ unbeholfen ” in German, that the Graylog blog does not include a post date :slight_smile:

it is - the re-creation of the page made the post dates disappear … not the best move, but had happened. The best indicator of time is always the release page: https://github.com/Graylog2/graylog2-server/releases?after=1.3.0 and 1.2.2 is dated to 26 Oct 2015.


(system) closed #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.