« CryptoNark v0.4 Released | Main | Tomcat 7.0.5 Beta is Out »


GlassFish Community vs JBoss Community: Patches

A recent post on The Aquarium highlighted one fairly compelling difference for enterprises to take into consideration between the community versions of glassfish and jboss:  GlassFish provides security and bug fix updates to customers using either GlassFish Open Source Edition or Oracle Glassfish Server.  JBoss typically does not.  

JBoss has responded to this post explaining the JBoss Product Lifecycle and highlighting the benefits of using EAP vs Community Editions and does make the point that Community versions of JBoss are meant for cutting-edge apps.  The problem with cutting-edge apps, however, is that, presumably, designers of these applications probably want to make money off of them, too.  Today, the most common method for accepting payments on the web is still the credit card and if you are accepting credit card payments, you must comply with PCI Compliance guidelines (in addition to any of the other compliancy frameworks we have to follow).

This is unfortunate for JBoss because it would not be uncommon at some point during a quarterly PCI compliance scan to be tagged with vulnerabilities like "JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure", where you are directed to the installation of a hotfix or fixpack, which simply isn't available if you are using the community version of the product.  Yes, even though the vulnerability lists JBoss Enterprise Application Platform 4.2 and 4.3 as being vulnerable, the community version of JBoss 4.2 is just as vulnerable.  The difference being that one does not have the ability to patch the community version at all but to simply wait for the next release of the community version that may include a fix for the problem, come up with some workaround, or get EAP.  

Consider the following issue with JBoss 5.0.1.  JBoss 5.0.1 has a vulnerability that leaves the server subject to not only an information disclosure issue but a particularly nasty denial-of-service vulnerability inherited from JBoss's use of Apache Tomcat. If you are a JBoss EAP 5.0.1 user, you have a patch available.  If you are a community edition user, you're in a bit of a pickle.  JBoss 5.0.1 Community Edition was released in February 2009 and version 5.1.0 was released about three months later.  Has the fix been included in 5.1.0?  It's tough to tell based on the release notes. (If anyone knows, let me know!)

One of things that open source software is famous for over closed source equivalents is the rapid release of updates and patches but to have a major project not doing this (and actually charging for updates) feels extremely strange.

So, the moral of the story here for infrastructure, operations, and security teams is that going live with a community version of JBoss is probably not a really good idea whereas going live with that same cutting edge application using GlassFish community edition is a little safer.  You may still have concerns with commercial support vs. community support but access to security updates does not appear to be an issue with GlassFish Open Source Edition.  

Update: The first comment below is a response to this post from JBoss's Lead Security Architect, in which he appears to be agreeing with me that JBoss Community is not suitable for deployments if your organization has compliance requirements that must be adhered to. This should probably not be read as an official position from Red Hat/JBoss, however, as personal blogs do not reflect the opinions of the employer.


TrackBack URL for this entry:

Listed below are links to weblogs that reference GlassFish Community vs JBoss Community: Patches: