PSA: Java 8 Update 131 breaks ASRock's IPMI Virtual console

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
UPDATE November 16th 2017: It appears that ASRock have pushed out several BMC updates for the affected boards. Check the support page for your motherboard to see if it's available for you.

The latest Java 8 Update 131 breaks ASRock's IPMI Virtual console. Please do not update Java if you wish to continued access to your boards IMPI.

This is due to Java 8 Update 131's increased security requirements as seen by the error message seen when attempting to run it:
Unsigned application requesting unrestricted access to system
The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned: http:// <IPMI Address> :80/Java/release/Win64.jar

Affected motherboards:
  • E3C224D2I
  • E3C226D2I
  • E3C236D2I
  • EPC612D4U-2T8R
  • C2550D4I
  • C2750D4I
You're encouraged to contact ASRock Rack support at http://event.asrockrack.com/tsd.asp to report this issue.

Latest Java version known to work with this boards is Java 8 Update 121, which can be downloaded from: http://www.oracle.com/technetwork/j...rchive-javase8-2177648.html#jre-8u121-oth-JPR

(Please note that you will need to sign-in to/create an Oracle account to download previous versions).

If your ASRock Rack board is affected, please reply and I'll update the list of affected boards.

Edit: It appears that ASRock Rack are aware of the issue and are working on a fix.
From:<[removed]@asrockamerica.com>
Subject: RE: $E3C224D2I$ Java 8 Update 131 prevents IPMI access (Canada)
Date: Tuesday, April 25, 2017 1:24 PM

Thank you for reaching out to us for support! We are aware of this issue and our BMC engineering team has been hard at work trying to come up with a solution. Hopefully it would be as simply a BMC firmware update. But for the time being, would you please roll back to previously Java version?

Updated: June 24th 2017 - Added additional motherboards to the list.
 
Last edited:

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
Edit: It appears that ASRock Rack are aware of the issue and are working on a fix.
I don't have high hopes. They needed six or so months to make their BMCs not completely overwhelm the serial flash with writes. This is bound to be somewhat more complicated than that.
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
I have Java 8 update and 131 build. I been doing back and forth with William at ASRock support on this very issue. For me it breaks down at "failing to download the application". I am still trying to rule out a network issue (as the box is remote) but this post make me consider otherwise.

My hardware specs are in my signature below under "backup box"
 

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
I have Java 8 update and 131 build. I been doing back and forth with William at ASRock support on this very issue. For me it breaks down at "failing to download the application". I am still trying to rule out a network issue (as the box is remote) but this post make me consider otherwise.

My hardware specs are in my signature below under "backup box"
The reply I had was from William also.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
The latest Java 8 Update 131 breaks ASRock's IPMI Virtual console. Please do not update Java if you wish to continued access to your boards IMPI.

This is due to Java 8 Update 131's increased security requirements as seen by the error message seen when attempting to run it:


Affected motherboards:
  • E3C224D2I
  • E3C226D2I
You're encouraged to contact ASRock Rack support at http://event.asrockrack.com/tsd.asp to report this issue.

Latest Java version known to work with this boards is Java 8 Update 121, which can be downloaded from: http://www.oracle.com/technetwork/j...rchive-javase8-2177648.html#jre-8u121-oth-JPR

(Please note that you will need to sign-in to/create an Oracle account to download previous versions).

If your ASRock Rack board is affected, please reply and I'll update the list of affected boards.

Edit: It appears that ASRock Rack are aware of the issue and are working on a fix.

Wait, I thought Java was "write once, run anywhere". *Mind blown*
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
Wait, I thought Java was "write once, run anywhere". *Mind blown*
Write everywhere, run nowhere.

Sun oversold it and Oracle undeveloped it into oblivion.
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
Might be why it's still only "3 Billion Devices Run Java" 10 years after they first proudly announced that number in their update dialogs! :smile:

BTW you can add the C2750D4i to the list
 

thisman105

Dabbler
Joined
Oct 11, 2015
Messages
31
C2550d4i also affected. Probably the C2750 also

edit: just read to above post, LOL
 

screamer

Dabbler
Joined
Sep 3, 2015
Messages
14
Hi all,

problem is not just with Asrock Ipmi, all applications signed by MD5withRSA are now treated by "unapproved"

but luckily you can quickly override this by updating
C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\java.security
file

PS, the path can be different on your system, please update it to the correct one.

i've opened java.security file with notepad and made next few changes (removed MD5 exclusion):

Code:
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024


Code:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \
	EC keySize < 224


Code:
jdk.tls.legacyAlgorithms= \
		K_NULL, C_NULL, M_NULL, \
		DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
		DH_RSA_EXPORT, RSA_EXPORT, \
		DH_anon, ECDH_anon, \
		RC4_128, RC4_40, DES_CBC, DES40_CBC, \
		3DES_EDE_CBC, \
	SSL_RSA_WITH_RC4_128_MD5


Code:
dk.xml.dsig.secureValidationPolicy=\
	disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
	disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
	disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
	maxTransforms 5,\
	maxReferences 30,\
	disallowReferenceUriSchemes file http https,\
	minKeySize RSA 1024,\
	minKeySize DSA 1024,\
	noDuplicateIds,\
	noRetrievalMethodLoops
 

Adrian

Contributor
Joined
Jun 29, 2011
Messages
166
Thanks screamer. With those edits, and the Java Control Panel / Security Exception Site list updated appropriately, the console works.
Code:
http://freenas-m.hanley.stade.co.uk
http://freenas-m.hanley.stade.co.uk
http://freenas-m.hanley.stade.co.uk
 

Alan W. Smtih

Explorer
Joined
Aug 30, 2014
Messages
54
Thank you, screamer!

I just ran into and through this. Here's each edit's before and after as an additional reference.

Code:

# Original:

	jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

# Updated:

	jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024



Code:

# Original:

	jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
		EC keySize < 224

# Updated:

	jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \
		EC keySize < 224



Code:

# Original: 

	jdk.xml.dsig.secureValidationPolicy=\
		disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
		disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
		disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
		disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
		maxTransforms 5,\
		maxReferences 30,\
		disallowReferenceUriSchemes file http https,\
		minKeySize RSA 1024,\
		minKeySize DSA 1024,\
		noDuplicateIds,\
		noRetrievalMethodLoops

# Updated:

	jdk.xml.dsig.secureValidationPolicy=\
		disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
		disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
		disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
		maxTransforms 5,\
		maxReferences 30,\
		disallowReferenceUriSchemes file http https,\
		minKeySize RSA 1024,\
		minKeySize DSA 1024,\
		noDuplicateIds,\
		noRetrievalMethodLoops



Code:

# Original:
   
	jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

# Updated:

	jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024	
   


NOTE: There's another item that references MD5.

Code:

	jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
		DSA keySize < 1024, EC keySize < 224



Leaving that as is didn't cause me problems. Just pointing it out here in case it becomes important in a future Java update.
 

Gcon

Explorer
Joined
Aug 1, 2015
Messages
59
Thanks Screamer and Allan - those hacks allowed me to regain access to IPMI. My affected mobo is the following:
  • EPC612D4U-2T8R
We all need to pressure ASRockRack for a fix. Mine especially since it's a current selling version with a "new" logo next to it - so they are effectively selling defective gear. They need to move to HTML5 for IPMI functionality like SuperMicro are doing. Kinda regretting going with the cheaper "yum cha" option now (although it wasn't exactly cheap). ASRockRack have been horrible with support for the MiniSAS connector as well so I doubt they'll do anything about this. They're all about shipping product and not supporting what's already been sold, which is a reputation that many Asian suppliers have.
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
Can anyone share the location of the files that need to be modified on Mac OS X? I have tried looking in Library->Application Support->Oracle->Java->Deployment->security

But no dice. Anyone done this mode successfully on a Mac OS X system?
 

Alan W. Smtih

Explorer
Joined
Aug 30, 2014
Messages
54
Can anyone share the location of the files that need to be modified on Mac OS X? I have tried looking in Library->Application Support->Oracle->Java->Deployment->security

But no dice. Anyone done this mode successfully on a Mac OS X system?

I use a Mac but don't use it for IPMI for two reasons:

1. Installing Java on a Mac is a pain.
2. I really, really don't want Java on my Mac.

My workaround is to use a Windows Virtual Machine inside my Mac. I do the Java installs and tweaks there and use it for IPMI work.

I own a Windows 10 license for dev work, but you should be able to use the free VMs Microsoft offers for browser testing here:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

I'd try "Microsoft Edge on Win10 (x64) Stable (#####)" with whatever the current version number is first.

If you don't already have VM Software, I'd go with VirtualBox. It's also free and can be downloaded from here:

https://www.virtualbox.org/wiki/Downloads

Note that the Microsoft VM only lasts for 90 days. So, make sure to keep the original copy so you can reinstall, or create a snapshot when you first install it so you can roll back easily.

It's still a bit of a pain, but well worth it for me compared to putting Java on my Mac.

Good luck.
 

SRSR333

Dabbler
Joined
Aug 17, 2016
Messages
38
Can confirm that this issue affects the E3C232/6D2I motherboards, and @screamer's and @Alan W. Smtih's detailed fixes enable the console to work again.

Like everyone else here, I'm partially regretting purchasing an ASRock Rack board just for the mini-ITX form factor, because SuperMicro doesn't sell mini-ITX boards... And mini-ITX boards each costs easily a hundred bucks more than micro-ATX boards... I lost every way. Too bad the Node 304 doesn't support microATX boards. With a SFX PSU, there's actually plenty of space in the case...
 
Last edited:

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175

mir

Dabbler
Joined
May 29, 2017
Messages
21
No problems here:
java -version
openjdk version "1.8.0_131"
OpenJDK Runtime Environment (build 1.8.0_131-8u131-b11-2-b11)
OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode)
 

qqBazz

Dabbler
Joined
Nov 5, 2015
Messages
34
Under OSX Sierra, I was able to work around this and regain console access by modifying

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security


and basically pulling out the MD5 from most of the places where it's mentioned.

Code:
adam@turbinado /L/I/J/C/H/l/security> diff -c original.java_security java.security
*** original.java_security	2017-07-06 05:07:29.000000000 -0500
--- java.security	2017-07-06 05:08:12.000000000 -0500
***************
*** 532,538 ****
  #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
  #
  #
! jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
	  DSA keySize < 1024, EC keySize < 224

  # Algorithm restrictions for signed JAR files
--- 532,538 ----
  #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
  #
  #
! jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, \
	  DSA keySize < 1024, EC keySize < 224

  # Algorithm restrictions for signed JAR files
***************
*** 570,576 ****
  # implementation. It is not guaranteed to be examined and used by other
  # implementations.
  #
! jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

  # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
  # (SSL/TLS) processing
--- 570,576 ----
  # implementation. It is not guaranteed to be examined and used by other
  # implementations.
  #
! jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024

  # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
  # (SSL/TLS) processing
***************
*** 598,604 ****
  #
  # Example:
  #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
! jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
	  EC keySize < 224

  # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
--- 598,604 ----
  #
  # Example:
  #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
! jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \
	  EC keySize < 224

  # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
***************
*** 752,758 ****
  #
  jdk.xml.dsig.secureValidationPolicy=\
	  disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
-	 disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
	  disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
	  disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
	  maxTransforms 5,\
--- 752,757 ----
 

ruebenschuss

Cadet
Joined
Jul 13, 2017
Messages
1
THANK YOU SO MUCH, GUYS !!!
You saved my NAS...

I try to connect to a E3C232D2I IPMI from the Mac OS X.
The java.security file can be found at:

# sudo find / -name "java.security"
/Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security

I made the edits accordingly and now the jviewer.jnlp works again.

However, although Safari does start the jviewer in the Preview Box on the Splash Screen, it is somehow unable to download the jviewer.jnlp and execute it as external app. The Download-Popup never disappears.
Firefox does not show the Preview but is able to download the jviewer.jnlp. When I start it manually, the session key is expired and it does not connect...

So the security issue is somehow solved but I still need to fiddle around to actually connect to the Screen...

Thanks anyway for that very valuable hint !
 
Top