thegridman
commented
1 year ago As the blog post you linked to says, Oracle no longer even supports some of this and there is in fact no way to even report the issues. All we can really do here is update the documentation to mention the vulnerabilities and recommend that JMXMP only be used during dev and testing. We've done a lot of work in Coherence itself for JEP-290, but the JMXMP libraries are not owned or maintained by my team. Coherence has other ways to get our MBean and metrics information that do support TLS.
As you recommend to use JMXMP in your documentation , could you please at Oracle provide support for JMXMP ?
JMXMP is the best solution to avoid networking headache when running JAVA applications on Kubernetes, but there are vulnerabilities, see acunextix blog and Oracle does not provide TLS support on VisualVM for JMXMP, see visualvm issue.
Thanks in advance.