16 coaches online • Server time: 08:36
* * * Did you know? The best rusher is debog with 8789 rushing yards.
Log in
Recent Forum Topics goto Post 12-game Seasongoto Post Keeping vs rehiregoto Post All Star Bowl!!!
SearchSearch 
How do JAVA vulnerabilities effect FUMBBL
FUMBBL Forum Index » Game Clients » FFB Client
Post new topic   Reply to topic
View previous topic View next topic
Garion26



Joined: Nov 28, 2021
Post   Posted: Dec 22, 2021 - 15:59 Reply with quote Back to top
Hi Team,
I'm relatively new to FUMBBL but I'm trying to understand how recently reported JAVA vulnerabilities relate to FUMBBL.

https://nvd.nist.gov/vuln/detail/CVE-2021-2388

I realize we all love FUMBBL but we all want to be safe.
Can Christer and some of our IT savvy people talk about this?
C0ddlefish



Joined: Sep 17, 2019
Post   Posted: Dec 22, 2021 - 16:55 Reply with quote Back to top
Its been covered on Discord - Nothing to worry about is my basic understanding.
Garion26



Joined: Nov 28, 2021
Post   Posted: Dec 23, 2021 - 11:54 Reply with quote Back to top
appreciate it would love to hear more about this question.
Feels like it should be pinned.
policeshades



Joined: Oct 31, 2017
Post   Posted: Dec 23, 2021 - 11:59 Reply with quote Back to top
My company recently removed Java from my computer for the vulnerability reason. Beyond Fumbbl Sad, it also meant removing my citation/bibliography software. It was something I didn't feel informed enough about to argue. I would also like to hear more about if from someone who knows.
Christer



Joined: Aug 02, 2003
Post   Posted: Dec 23, 2021 - 12:07
FUMBBL Staff
 Reply with quote Back to top
TLDR: FFB isn't affected by this.

Longer form:

First off, there was another related big "Java" issue not too long ago where a popular logging framework had a flaw (Log4J). That issue does not apply to FFB either as FFB doesn't use Log4J, but is not the one referenced here.

Reading the CVE entry, there are a couple of things that makes FFB not be vulnerable:

1. We always recommend fully updated Java from java.com. Currently, this is Version 8 update 311. The CVE specifies 8u291. If you've kept your Java runtime up to date, meaning not ignoring those "you're running an old version and should update" popups, you're not affected.

2. The bug requires you to be running untrusted code, relying on the Sandbox to protect you. FFB is code signed and is not relying on the Sandbox for protection. Therefore, this bug does not apply to the FFB Client.

3. The bug does not apply to server-side code. This is specifically mentioned in the CVE page, and the bug requires manual user-actions which doesn't happen on the server-side. Thus, the bug does not apply to the FFB Server.
Garion26



Joined: Nov 28, 2021
Post   Posted: Dec 23, 2021 - 17:25 Reply with quote Back to top
Thank you Christer!
Much appreciated.
policeshades



Joined: Oct 31, 2017
Post   Posted: Dec 24, 2021 - 00:12 Reply with quote Back to top
Garion26 wrote:
Thank you Christer!
Much appreciated.

+1
Display posts from previous:     
 Jump to:   
All times are GMT + 1 Hour
Post new topic   Reply to topic
View previous topic View next topic
 FUMBBL Forum Index » Game Clients » FFB Client