ehcache and quartz phones home

Description

Our campus network security folks are cracking down on the use of older versions of java on Desktop machines (with good reason).

They started flagging our agents as having an old version of java (they do...the agents use java 1.6). However, the way they discovered it was from:

Aug 15 16:32:37 snort[866]: [1:2011582:26] SNS-ALERT-POLICY_Vulnerable_Java_Version_1.6.x_Detected
{TCP} xxx.xxx.xxx.xxx:52305 -> 64.95.112.228:80
Aug 15 16:32:37 snort[866]: [1:2011582:26] SNS-ALERT-POLICY_Vulnerable_Java_Version_1.6.x_Detected {TCP}

xxx.xxx.xxx.xxx:47791 -> 64.95.112.233:80

This came as quite a shock to me. After all why would java on the agents be hitting a web server somewhere?

Turns out those addresses resolve to terracotta.org, the makers of ehcache and quartz.

After a bit of google searching, turns out that ehcache and quartz phone home when they start up.
http://adammonsen.com/post/512

When it phones home it sends among other things:

a client ID taken from your local IP
os.name
java.vm.name
java.version
os.arch
QuartzVersion
EhCache version
something about source
uptime-secs
patch level from Quartz/EhCache

This is really really bad behavior. It looks like you can disable it by sending the following options to the jvm on startup.

-Dnet.sf.ehcache.skipUpdateCheck=true
-Dorg.terracotta.quartz.skipUpdateCheck=true

Activity

Show:
Jonathan Felder
August 16, 2013, 6:36 PM

So I verified with tcp dump. This is what it sent btw:

0040 73 69 47 45 54 20 2f 6b 69 74 2f 72 65 66 6c 65 siGET /k it/refle
0050 63 74 6f 72 3f 6b 69 74 49 44 3d 71 75 61 72 74 ctor?kit ID=quart
0060 7a 26 70 61 67 65 49 44 3d 75 70 64 61 74 65 2e z&pageID =update.
0070 70 72 6f 70 65 72 74 69 65 73 26 69 64 3d 32 31 properti es&id=21
0080 33 30 37 30 36 36 38 39 26 6f 73 2d 6e 61 6d 65 30706689 &os-name
0090 3d 4c 69 6e 75 78 26 6a 76 6d 2d 6e 61 6d 65 3d =Linux&j vm-name=
00a0 4f 70 65 6e 4a 44 4b 2b 36 34 2d 42 69 74 2b 53 OpenJDK+ 64-Bit+S
00b0 65 72 76 65 72 2b 56 4d 26 6a 76 6d 2d 76 65 72 erver+VM &jvm-ver
00c0 73 69 6f 6e 3d 31 2e 36 2e 30 5f 32 37 26 70 6c sion=1.6 .0_27&pl
00d0 61 74 66 6f 72 6d 3d 61 6d 64 36 34 26 74 63 2d atform=a md64&tc-
00e0 76 65 72 73 69 6f 6e 3d 31 2e 38 2e 35 26 74 63 version= 1.8.5&tc
00f0 2d 70 72 6f 64 75 63 74 3d 51 75 61 72 74 7a 26 -product =Quartz&
0100 73 6f 75 72 63 65 3d 51 75 61 72 74 7a 26 75 70 source=Q uartz&up
0110 74 69 6d 65 2d 73 65 63 73 3d 31 26 70 61 74 63 time-sec s=1&patc
0120 68 3d 55 4e 4b 4e 4f 57 4e 20 48 54 54 50 2f 31 h=UNKNOW N HTTP/1
0130 2e 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 .1..User -Agent:
0140 4a 61 76 61 2f 31 2e 36 2e 30 5f 32 37 0d 0a 48 Java/1.6 .0_27..H
0150 6f 73 74 3a 20 77 77 77 2e 74 65 72 72 61 63 6f ost: www .terraco
0160 74 74 61 2e 6f 72 67 0d 0a 41 63 63 65 70 74 3a tta.org. .Accept:
0170 20 74 65 78 74 2f 68 74 6d 6c 2c 20 69 6d 61 67 text/ht ml, imag
0180 65 2f 67 69 66 2c 20 69 6d 61 67 65 2f 6a 70 65 e/gif, i mage/jpe
0190 67 2c 20 2a 3b 20 71 3d 2e 32 2c 20 2a 2f 2a 3b g, *; q= .2, /;
01a0 20 71 3d 2e 32 0d 0a 43 6f 6e 6e 65 63 74 69 6f q=.2..C onnectio
01b0 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 0d n: keep- alive...
01c0 0a .

I added the following to my matterhorn init script:
DISABLE_TERRACOTTA_PHONEHOME="-Dnet.sf.ehcache.skipUpdateCheck=true -Dorg.terracotta.quartz.skipUpdateCheck=true"

and

su c "java -Dgosh.args='-noshutdown -c noop=true' $DEBUG_OPTS $DISABLE_TERRACOTTA_PHONEHOME $FELIX_OPTS $GRAPHICS_OPTS $TEMP_OPTS $MAVEN_ARG $JAVA_OPTS $PAX_CONFMAN_OPTS $LOG_OPTS $JMX_OPTS $JETTY_OPTS -jar $FELIX_HOME/bin/felix.jar $FELIX_CACHE 2>&1 > /dev/null &" $MATTERHORN_USER

After verifying again with tcpdump, it does appear to have stopped phoning home.

Lars Kiesow
August 17, 2013, 2:31 PM

I included these parameters into the new scripts:
As I build the RPMs for 1.4.1-rc2 today, they are already in there, too (The RPMs already use the new scripts for all 1.4.x versions).

Greg Logan
August 21, 2013, 4:53 PM

Resolved in trunk with rev 15420, merged to 1.4.x with rev 15421.

Fixed and reviewed

Assignee

Lars Kiesow

Reporter

Jonathan Felder

Tags (folksonomy)

None

Components

Fix versions

Affects versions

Priority

Major
Configure