Update/Security Information for RCE Releases
Quick Overview / Q&A
This section provides answers to the most typical questions about upgrading RCE.
"Do I need to upgrade if I am using RCE version ...?"
We generally recommend always using the latest release of RCE to get all improvements and bugfixes. Still, not every new release may be equally important for everyone. This table provides the information whether you should upgrade for critical bugfixes or security-related reasons.
| RCE Release(s) | Status | Recommended Version |
|---|---|---|
| 10.7.0 | ✅ Up to date, no action required. | - |
| 10.6.0 | If you are connecting with RCE to an SSH or Uplink server, upgrading is ❌ strongly recommended due to an update of an important third-party component. For all other RCE installations, upgrading is still ⚠️ recommended to get general third-party security updates. |
10.7.0 |
| 10.5.0 or older | These versions have important security issues, and are considered "end of life" (EOL). ❌ Upgrading from these versions is mandatory for both clients and servers! |
10.7.0 |
"Which version of Java can I (or should I) use?"
Due to our limited resources, we only test RCE against certain long-term support (LTS) versions of the Java Runtime Environment (JRE). Other versions may work as well, but we cannot give recommendations or feedback on them. The table below shows the compatibility situation of Java versions and RCE releases.
| Java Version | Status |
|---|---|
| 8.x | ❌ This was only supported up to RCE 10.4.1, which is "end of life" (EOL), so using this is not possible. |
| 11.x | ✅ Recommended for all current RCE releases; this is the most thoroughly tested version. |
| 17.x | ⚠️ Not explicitly tested; it will most likely still work, though. |
| 21.x | ✅ Tested to work for RCE 10.6.0 and higher, although not as thoroughly as Java 11.x. |
"Will my data or configuration be affected when I upgrade?"
Upgrading within the same major version (e.g. 10.x.x to a higher 10.x.x) should always be easy and safe. Just stop all running RCE installations, install the new version via one of the supported methods and start RCE again.
Upgrading to a new major version (e.g. from 10.x.x to 11.x.x) may sometimes require some extra steps or small adaptations. Check the upgrade notes for details.
"I am connecting to an RCE network with project partners who may use different versions of RCE. Will there be problems if I upgrade?"
The RCE team puts significant effort into ensuring that all releases within the same major version (e.g. all 10.x.x releases) are network compatible. This means that within the same major version, all partners can upgrade their RCE installations independently at any time, and interacting within the same RCE network will continue to work as usual.
In very rare cases, important bugfixes may require that both sides upgrade their installations, but this is not the case for any 10.x.x releases.
RCE versions of different major versions (e.g. one 10.x.x and one 11.x.x) can generally NOT connect to the same shared network. All partners connecting to such a common RCE network must agree to use the same major version. We generally recommend migrating to the latest major version of RCE as soon as practically possible.
Technical Details
Our Third-Party Security Process
Every RCE release is checked with a vulnerability (CVE) scanner before release. Each open CVE in a third-party component is manually investigated. Preferably, we address each CVE by upgrading the affected component. We also regularly upgrade particularly security-exposed components (network, cryptography, ...) proactively, even if there are no open CVEs.
Note that some CVEs that are flagged by security scanners may not in fact be a problem, for example because the vulnerable code is not reachable in RCE due to how the library is used. We typically try to fix these non-critical CVEs anyway by upgrading the component, just like for critical CVEs. In some cases, however, this is either impossible, e.g. due to incompatibilities or simply because no fixed version exists. Sometimes, such a non-critical upgrade would be too complex and time-consuming to justify for something that poses no threat. For these cases, we keep an internal list of acceptable (typically non-exploitable) CVEs. We aim to make this list public in a future upgrade for transparency.
Reporting Security Issues
If you think you have identified a security issue in RCE that goes deeper than "a CVE scanner flagged something" (see the section above), please contact us at rce@dlr.de. In particular, we welcome any feedback about issues affecting "RCE Uplink", as this feature is — by its very nature — typically used to connect across unsafe networks like the internet. We take all security reports seriously, and thank you in advance for any sincere input.
"AI"-generated Reports
Please note that while using so-called "AI" code inspection tools may be used for inspiration, we kindly request any reports to be based on a human's assessment that the issue does in fact exist, and is reasonably relevant.