Re: Kronos + Java

["Embry, Randall Paul" <rpembry () IU EDU>]

I don't know Kronos either, but I've been struggling with a much different scenario that might be similar in spirit, 
that boils down to this "non defect" introduced in JVM 1.6.0_29:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7133330

In our case, this is for LDAP calls from a server side application where we wrote the code that runs in the JVM. 
Unfortunately, we've been stuck as the Java folks dismissed it as a Microsoft bug. It would seem that new JVM features 
and security patches are bundled into the same releases. We have the luxury of (mostly) trusting the code running in 
our JVMs, dealing with this in desktop JVMs would seem completely untenable. 

Presuming Kronos is not relying on a security flaw, perhaps we could also align with Kronos to lean on Oracle/Java to 
provide some sort of a la carte security patching without bringing along new functionality?

Write once, run anywhere... Except the latest JVM :)

--Randall

On Apr 11, 2012, at 2:06 PM, Roger A Safian wrote:

> Maybe we could collectively lean on Kronos?  They suggested this to us as well, and it's completely unacceptable 
> behavior (IMHO) for a company whose product deals with this type of information to have such a  casual attitude 
> towards security.
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Pirolo
> > Sent: Wednesday, April 11, 2012 12:38 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Kronos + Java
> >
> > Not familiar with Kronos, but have you explored installing multiple versions
> > of Java on the computer? Some apps let you specify the java folder, either
> > through a config file or in the registry.
> >
> > David Pirolo
> > Warner Pacific College
> >
> >
> > On Wed, 2012-04-11 at 11:39 -0400, David Shettler wrote:
> > > We are encountering a series of problems with our timecards vendor
> > > Kronos and Oracle's latest Java release.
> > >
> > >
> > > Java 1.6_31 causes sporadic problems in Kronos.  Kronos support has
> > > proposed the solution that we down-rev java on client workstations
> > > until they release their new version which will happen "soon".  1.6_31
> > > has been out since February.  We're not willing to put hundreds of
> > > Kronos users' at risk by down-reving Java given the prevalence of
> > > malware exploiting earlier versions on the web, we've been struggling
> > > to do just the opposite since February, but even if we were:  Firefox
> > > has blocklisted any earlier versions, and Apple has deployed 1.6_31 to
> > > counter new mac-malware.
> > >
> > >
> > > Are other Kronos users experiencing this issue?  Are you permitting
> > > down-reving of java?  Are you applying pressure on Kronos?  We're
> > > hitting a brick wall with them, and their proposed solution seems
> > > archaic.
> > >
> > >
> > > Thank you kindly,
> > >
> > >
> > > David Shettler
> > >
> > > Information Security Officer
> > >
> > > College of the Holy Cross
> > >
> > >
> > > ------------------------------------------
> > > ITS will never request your password via email.