Main Nav

Here’s a Chicago Tribune story on Java security problems:

http://www.chicagotribune.com/business/technology/chi-java-update-oracle-updates-java-security-experts-say-bugs-remain-20130114,0,7822126.story

 

We use Java 6 in order to run Banner.  This article seems to suggest that Java 6 doesn’t have the problem.  People in my department have started to ask me what to do.  What do you all think?

 

Kevin

 

Comments

Brady
 
What I was hoping to address was that users can not be told they are okay, but rather that they should be at u38.
I think its been fairly well established this is a 1.7 issue. Some of my users will not update consistently, so this is the opportunity to have them caught up. No reference to patching 1.6 was intended.
 
la
On 1/14/2013 at 8:53 AM, in message <5220D448876FCD43ABAD3F71AC8184483BA2408422@EXCHANGE2007.oneonta.edu>, "McClenon, Brady" <Brady.McClenon@ONEONTA.EDU> wrote:

Update 38 was released on 11/12/2012.   It doesn’t contain a patch to address a vulnerability Oracle was notified of on 1/11/2013.

 

 

Message from brady.mcclenon@oneonta.edu

I think you are correct.  The issue is not present in Java 6. J

 

 

Brady McClenon

Senior Server Administrator

Applications Research & Development

Information Technology Services

SUNY College at Oneonta

607-436-3203

 

“Quotes found on the internet are not always accurate.”  - Abraham Lincoln

 

 

 

 

I’m not sure if they’re correct or not, but, even assuming they are.  Since Java 6 is basically not supported any more, how long do you think you can safely continue to use it?  Seems like at best you have just kicked the can down the road a little.

 

FWIW, I’d like to be wrong on this, since we use Kronos, and it has the same issue.  We’re recommending the non-java version right now.

 

Hopefully Oracle will put out some news today…

 

Message from brady.mcclenon@oneonta.edu

From http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

 

Affected product releases and versions:

Java SE

Patch Availability

JDK and JRE 7 Update 10 and earlier

Java SE



Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.

 

 

Message from j-braden@tamu.edu

Everything I am reading says the most current version of 1.6  is not vulnerable to the zero day currently being exploited. However, you got all of 1 month before 1.6 goes End-of-life.  The initial announcement about 1.7.11 seems to indicate the vulnerabilities identified in the last week are addressed with 1.7.11

 

http://nakedsecurity.sophos.com/2013/01/13/oracle-releases-cve-2013-0422-patch-for-java/

So here's some good news: Oracle has been on the ball and has already come out with a patch. Java 7 Update 11 fixes both CVE-2013-0422 and a second vulnerability.

 

 

I also saw a couple of links that says 1.7.11 is still vulnerable – but it seems the existing code implemented a work around.

 

http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/

http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-has-bugs-says-expert

 

 

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254

j-braden@tamu.edu

 

This issues does impact only Java 7, so you should be ok with Java 6.  Also this only impacts the JRE and JDK for Java 7 so your server are safe.

 

A patch was released last night.  See the attached email from Oracle.

 

David

 

 

David Ludwig

Manager of Administrative Systems

Library & Information Systems Middlebury College

14 Old Chapel Road

Middlebury, VT 05753

Office: (802) 443-5692

Skype: Davidcludwig

 

It looks like there were some early conflicting reports on the issue, and this report (https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf)  seems to indicate that the fundamental code vulnerability also exists in Java 6.

However the latest consensus seems to be that this particular exploit requires both the code vulnerability and a new feature that only exists in Java 7 to successfully exploit a system.

At the moment, Java 6 seems to be unaffected.  Oracle is still saying they'll end support and updates for Java 6 at the end of February, though.

Kevin

On 1/14/2013 9:03 AM, Shalla, Kevin wrote:

Here’s a Chicago Tribune story on Java security problems:

http://www.chicagotribune.com/business/technology/chi-java-update-oracle-updates-java-security-experts-say-bugs-remain-20130114,0,7822126.story

 

We use Java 6 in order to run Banner.  This article seems to suggest that Java 6 doesn’t have the problem.  People in my department have started to ask me what to do.  What do you all think?

 

Kevin

 

On the SE download page Oracle advises all version 6 users to move to update 38, not really a stand down as your not affected.


The latest updates to that page (as of Sept. 19, 2012) state (emphasis added):

Java SE 6 End of Public Updates Notice

After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long term support is available through Oracle Java SE Support .


What does this mean for Oracle E-Business Suite users?

EBS users fall under the category of "enterprise users" above.  Java is an integral part of the Oracle E-Business Suite technology stack, so EBS users will continue to receive Java SE 6 updates after February 2013.

In other words, nothing will change for EBS users after February 2013. 


The eBusiness and normal users support has created added additional confusion about Java 6.




>>> On 1/14/2013 at 08:21 AM, in message <5220D448876FCD43ABAD3F71AC8184483BA24083E6@EXCHANGE2007.oneonta.edu>, "McClenon, Brady" <Brady.McClenon@ONEONTA.EDU> wrote:

From http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

 

Affected product releases and versions:

Java SE

Patch Availability

JDK and JRE 7 Update 10 and earlier

Java SE



Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.

 

 

Message from j-braden@tamu.edu

I am providing the comments below as they are written – can’t be confirmed one way or the other

 

http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/#comments

Rabid Howler Monkey

January 12, 2013 at 2:06 pm

With regard to the difference of opinion between CERT and the National Vulnerability Database (i.e., NIST) on the vulnerability of Java SE versions prior to Java SE 7, inspection of the NIST link in the article indicates that Java SE 6 Update 35 and previous versions are vulnerable. Java SE 6 is currently at Update 38 and, therefore, would not be vulnerable.

Thus, for Java SE 6 users, the safe thing to do is insure that you are running Update 38, and if not, update your Java to Update 38 from Oracle’s download site:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

P.S. 1 Am not taking sides on the CERT NIST dispute.

P.S. 2 Given that Oracle has been automatically migrating its Java SE 6 users to Java SE 7 starting as far back as November, 2012, it would appear that the miscreants may have timed their attack with this Java SE 7 exploit such that most Java SE users have the vulnerable version installed on their PCs. If true, then this whole thing could be characterized as an ambush. All the miscreants had to do was wait for Oracle to mostly complete the automatic migration of its Java SE 6 users to SE 7.

Luca

January 13, 2013 at 9:18 pm

Q: I’m using Java 6. Does that mean I don’t have to worry about this?

There are two different issues involved in this attack. (a) MBeanInstantiator affecting Java6 and Java7 and (b) Reflection API abuse affecting Java7 only

That’s the reason for such a confusion. Btw, Adam Gowdiak confirmed it – being a world-class security expert for Java we can just listen him and agree.

 

 

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254

j-braden@tamu.edu

 

Message from brady.mcclenon@oneonta.edu

Update 38 was released on 11/12/2012.   It doesn’t contain a patch to address a vulnerability Oracle was notified of on 1/11/2013.

 

 

Brady
 
What I was hoping to address was that users can not be told they are okay, but rather that they should be at u38.
I think its been fairly well established this is a 1.7 issue. Some of my users will not update consistently, so this is the opportunity to have them caught up. No reference to patching 1.6 was intended.
 
la
On 1/14/2013 at 8:53 AM, in message <5220D448876FCD43ABAD3F71AC8184483BA2408422@EXCHANGE2007.oneonta.edu>, "McClenon, Brady" <Brady.McClenon@ONEONTA.EDU> wrote:

Update 38 was released on 11/12/2012.   It doesn’t contain a patch to address a vulnerability Oracle was notified of on 1/11/2013.