Java 7 Vulnerabilities

By Ross Madden
Published on January 16, 2013 10:33 am MT
Updated on January 16, 2013 10:34 am MT
Posted in Internet & Networking, Security, Security News

Most of us are aware of this by now, but I received the following, very well written explanation of the problem and steps to take at this point.  As before, when I get these, and feel they should be given a wider audience, I will repost for the CNSIT community.

“As everyone is probably painfully aware, Java has some major problems right now… and Oracle hasn’t been overly convincing in providing a fix, despite releasing a patch over the weekend. The Department of Homeland Security has reiterated its recommendation to uninstall/disable Java, but we rely heavily on Java for a few critical applications and we can’t just shut it down. So what I can do is outline the issues, give an overview of the CSU use cases, and make our best recommendation. Alas, there’s not a clean, elegant way to solve this that both enables and protects our mission-critical applications.

Java version numbering can be a bit confusing, so here’s a quick primer:

  • “Java 7” is a shorthand notation for the Java Standard Edition numbered 1.7.x, where the ‘x’ is the update number. The other naming scheme that tends to be used looks like Java 7ux (for example, Java 7u11). The problematic update that contained the most recent critical security vulnerability was 1.7.10, or Java 7u10. The patch released to fix that problem is 7u11, and is the most recent version that a web download or auto-updater should install.
  • “Java 6” is the similar naming scheme for the previous major release; the most recent patch of that line is 6u38. It’s not perfect from a security point of view, and it lacks some of the functionality introduced in the Java 7 line, but it has continued to receive updates and it does seem to be immune from the particular vulnerability introduced last week. It’s also the required version for our central Oracle apps (read on…). That update can be accessed on Oracle’s Java 6 download site: http://www.java.com/en/download/manual_v6.jsp

The major applications/suites on campus that use Java: (there are others in use, but these are the big three)

  • Oracle HR and the other Oracle apps reachable via CAP (includes Timecard Approval). Doesn’t support Java 7, so some version of Java 6 is required. Appears to work well under the most recent version of this line (6u38).
  • RamCT Blackboard. Several features (including chat and file uploads) require Java. Has been tested to work well under both Java 6 and Java 7. RamCT Blackboard doesn’t work well if more than one version of Java is installed, so if one computer does both Blackboard and Timecard Approval, then Java 6u38 should be used.
  • Junos Pulse VPN (aka Juniper SSL gateway, secure.colostate.edu). For Windows and IE, Java is not a requirement, as all advanced functions can be performed with ActiveX controls (though with no Java at all, there will be a few error messages to click through when initially installing some of the controls). For other combinations (Windows + Firefox, Windows + Chrome, and all combinations on Mac and Linux), Java is required to do more than the basic HTML redirect… so RDP, SSH, Network Connect, Secure Meeting (now Pulse Collaboration), and Secure Application Manager… these all require Java of some sort. Getting them to work under Java 6 can be problematic, so heavy users will probably want to use the latest version of Java 7.

So here are the possible stances:

1)      I don’t use any of those applications; I’ll just remove Java from my system. Safe from harm, though other sites may stop working correctly.

2)      I just use RamCT Blackboard: Java 7u11 with auto-update enabled OR Java 6u38 with auto-update disabled (either should work).

3)      I just use central administrative apps: Java 6u38 with auto-update disabled.

4)      I use both RamCT Blackboard AND central administrative apps: Java 6u38 with auto-update disabled.

5)      I don’t use Blackboard/CAP, but use the SSL gateway on Windows with IE: may be able to get by without any Java at all.

6)      I use the SSL gateway with some other combination of OS/browser: should probably have Java 7u11.

One important note, no matter which you choose: many applications (including both Blackboard and the SSL gateway) get cranky if there’s more than one version of Java installed, so it can’t be as simple as just installing both versions. Alas…

Of course, we’ll keep an eye on what Oracle does with Java, both from a security point of view and for its ability to interface with our central administrative applications. If we find a simple fix, you’ll be the first to know about it!”

Back to top of page