In a prior blog entry, I discussed how we are resurrecting a Java interface for MPI in the upcoming v1.7 release of Open MPI.

Some users have already experimented with this interface and found it lacking, in at least two ways:

1. Creating datatypes of multi-dimensional arrays doesn’t work because of how Java handles them internally
2. The interface only supports a subset of MPI-1.1 functions

These are completely valid criticisms.  And I’m incredibly thankful to the Open MPI user community for taking the time to kick the tires on this interface and give us valid feedback.

Read More »

Tags: HPC, java, mpi, Open MPI

The new Oracle Java arbitrary code execution vulnerability  has not only hit many news wires and social media outlets, but many victims as well, and it has been incorporated into several exploit kits. This critical vulnerability, as documented in IntelliShield alert 27845, could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. If the user has administrator privileges, the attacker could completely “own” the system. A fix is currently not available.

Update: Oracle released a software update (JDK7 update 11) that fixes this vulnerability. The update is available on their website. If you disabled Java in the Java Control Panel, you will need to manually re-enable it after installing the patch by using the check box in the Security tab of the Java Control Panel. Oracle’s security advisory and JDK7 update 11 release notes includes more information about the patch.

The exploit is now found in several exploit kits!

There are many reports that the vulnerability is being “exploited in the wild”. Not only is the exploit publicly available, but it has been incorporated into exploit kits such as Blackhole, Cool, and Nuclear Pack. Exploit kits make it easy for criminals to spread malicious software using exploits that take advantage of well-known and new vulnerabilities. New exploit kits are loaded with some of the most dangerous zero-day exploits (including this one) and other features, which allow criminals to increase their profits.

The impact to the public is huge!  Java is used by millions of users around the world. It is used in Microsoft Windows, Apple’s Mac OS-X, and Linux systems, as well as many mobile devices.   Read More »

Tags: cisco ips, java, java exploit, java security, java zero day

In the previous Part 1 post, I discussed the initial response, risk, and mitigations for the recently-disclosed zero day Oracle Java vulnerabilities that attackers have used in attacks against vulnerable end-user systems. Since then, Oracle has released software updates that correct the original flaw documented in IntelliShield alert 26751, as well as for additional vulnerabilities, as documented in IntelliShield alert 26831.

Attacks leveraging the Java vulnerabilities have increased, with reports indicating that tens of thousands of systems have been compromised. The malicious software toolkit BlackHole, documented in IntelliShield alert 25108, has incorporated the previously-reported Metasploit exploit and can be used to build exploits for use in attacks. Observed exploits have installed the Poison Ivy remote access trojan, and other malicious software may also be downloaded and installed using Poison Ivy, once installed on a vulnerable system.

Read More »

Tags: java, java security, Oracle, security, vulnerabilities

Security researchers discovered a Java vulnerability (documented in IntelliShield alert 26751) that attackers are using to install malicious software on a victim’s systems. No software updates are available that correct the vulnerability (Updates are now available, see Part 2 of the blog).  The attacks are currently limited in nature. There have been few reports of attacks that rely on the vulnerability. Now that Metasploit developed a functional exploit, continued attacks that leverage this vulnerability increase in likelihood as time goes on. US-CERT has issued a related vulnerability note. Administrators can monitor this and other ongoing activity at the Cisco Security Intelligence Operations portal.

It is not yet clear what attackers hope to gain out of the attacks observed in the wild. Goals may differ between individual attacks. Current exploits appear to install a malicious software dropper that may install other malicious software, but to what end is unknown. Attackers may attempt to install malicious software that monitors keyboard input and network communication, hoping to gain user credentials for either external resources to aid in fraudulent activity or to access other internal systems within the targeted site.
Read More »

Tags: client side attacks, java, java security, security

Back in the ’90s, there was a huge bubble of activity about Java in academic circles.  It was the new language that was going to take over the world.  An immense amount of research was produced mapping classic computer science issues into Java.

Among the projects produced were several that tried to bring MPI to Java.  That is, they added a set of Java bindings over existing C-based MPI implementations.  However, many in the HPC crowd eschewed Java for compute- or communication-heavy applications because of performance overheads inherent to the Java language and runtime implementations.

Hence, the Java+MPI=HPC efforts didn’t get too much traction.

But even though the computer science Java bubble eventually ended, Java has become quite an important language in the enterprise.  Java run-time environments, compilers, and programming models have steadily improved over the years.  Java is now commonly used for many different types of compute-heavy enterprise applications.

Read More »

Tags: HPC, java, mpi