Can someone who has received an email from the govt recently confirm if they have upgraded their mail servers in the past 2 years?

https://twitter.com/kingslyj/status/1039818216925581312

January 16, 2014

"there won't be a commercial version of GlassFish 4."

"Oracle continues to commercially support GlassFish v3 for the ***YEARS*** to come."

Years? 2? 3? 4? 5?

blogs.oracle.com/theaquarium/gl…

Premier Support Ends - Dec 2014

Extended Support Ends - Dec 2017

Sustaining Support - indefinite

oracle.com/us/support/lib…

Based on the above cut-off dates for support and the version of software they are using.

Guess what level of support @NICMeity was on?

https://twitter.com/kingslyj/status/1039818216925581312

Either they had no support contract at all or they had a 5 year "Premier Support" contract with Oracle which was not switched to "Extended Support" after the govt. changed in 2014.

oracle.com/support/lifeti…

So since 2014... the whole of Govt. of India's email infrastructure managed by @NICMeity seems to have had...

No "Software Updates"

No "Security alerts and updates"

No "Critical patch updates"

#DigitalIndia

And after 2017, there were no updates whatsoever from Oracle itself.

Their offer of "lifetime support" and "sustaining support" only means they'll help you migrate to the latest supported release (**IF** you opt for the category of support.)

#DigitalIndia is so secure! All sarkari emails are relying on 6 year old unsupported / past EOL software.

A version so ancient that Oracle has even removed the documentation.
docs.oracle.com/en/industries/…

It's not a question of getting any panic at all @rsprasad?

Our email is safe. Our email is secure.?

Do you want to say it authentically, backed by a proper parliamentary law that Indian govt email system has won global appreciation @rsprasad?

Just like Aadhaar, sarkari email too must be...

"monitored on an almost regular basis as far as security parameters are concerned."

I'm sure that the lawyer in @rsprasad can prove that "almost regular basis" could even mean not even once in 6 years. #DgitalIndia

Now view all of this in the context of...

CERT-In Advisory CIAD-2020-0040 dated June 19, 2020 from @IndianCERT warning of a plot by "malicious actors" to impersonate "various authorities" starting from 21st June 2019.

https://twitter.com/Banbreach/status/1275490358584053763

What better way to impersonate "various authortiies" than to target an unpatched and unmaintained email sever that powers the communications of those authorities?

And wouldn't mail.gov.in which powers the email system of the Govt. of India including @PMOIndia count as National Critical Information Infrastructure?

Why hasn't @NCIIPC flagged the fact that it's running past-EOL unsupported software?

This is @NCIIPC 's vision

"To facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the Nation."

And it was established specifically to prevent such stupidity.

en.wikipedia.org/wiki/National_…

Of course this is not the first time that @NCIIPC has failed its mission.

People complained about the Aadhaar portal running on past-EOL software with known vulnerabilities for years and they did nothing about it.

captnemo.in/blog/2018/09/1…

And just like they did with that portal... I fully expect them to remove the HTTP Server header from mail.gov.in to hide the fact that it's running past-EOL software.

https://twitter.com/kingslyj/status/1275605734915321856

There are 18 known vulnerabilities in Glassfish Server 3.1.2

And only 2 of them are older than 2014.

So a total of 16 known vulnerabiliites and @NCIIPC and @IndianCERT have failed to flag and update this publicly exposed webserver handing govt. email.

cvedetails.com/version/136591…