ehcache and quartz phones home

Description

Our campus network security folks are cracking down on the use of older versions of java on Desktop machines (with good reason).

They started flagging our agents as having an old version of java (they do...the agents use java 1.6). However, the way they discovered it was from:

Aug 15 16:32:37 snort[866]: [1:2011582:26] SNS-ALERT-POLICY_Vulnerable_Java_Version_1.6.x_Detected
{TCP} xxx.xxx.xxx.xxx:52305 -> 64.95.112.228:80
Aug 15 16:32:37 snort[866]: [1:2011582:26] SNS-ALERT-POLICY_Vulnerable_Java_Version_1.6.x_Detected {TCP}

xxx.xxx.xxx.xxx:47791 -> 64.95.112.233:80

This came as quite a shock to me. After all why would java on the agents be hitting a web server somewhere?

Turns out those addresses resolve to terracotta.org, the makers of ehcache and quartz.

After a bit of google searching, turns out that ehcache and quartz phone home when they start up.
http://adammonsen.com/post/512

When it phones home it sends among other things:

a client ID taken from your local IP
os.name
java.vm.name
java.version
os.arch
QuartzVersion
EhCache version
something about source
uptime-secs
patch level from Quartz/EhCache

This is really really bad behavior. It looks like you can disable it by sending the following options to the jvm on startup.

-Dnet.sf.ehcache.skipUpdateCheck=true
-Dorg.terracotta.quartz.skipUpdateCheck=true

Steps to reproduce

None

Status

Assignee

Lars Kiesow

Reporter

Jonathan Felder

Criticality

None

Tags (folksonomy)

None

Components

Fix versions

Affects versions

2.1.1
1.4.1

Priority

Major