Educause Security Discussion mailing list archives
Re: Kronos + Java
From: "Embry, Randall Paul" <rpembry () IU EDU>
Date: Wed, 11 Apr 2012 18:34:25 +0000
I don't know Kronos either, but I've been struggling with a much different scenario that might be similar in spirit, that boils down to this "non defect" introduced in JVM 1.6.0_29: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7133330 In our case, this is for LDAP calls from a server side application where we wrote the code that runs in the JVM. Unfortunately, we've been stuck as the Java folks dismissed it as a Microsoft bug. It would seem that new JVM features and security patches are bundled into the same releases. We have the luxury of (mostly) trusting the code running in our JVMs, dealing with this in desktop JVMs would seem completely untenable. Presuming Kronos is not relying on a security flaw, perhaps we could also align with Kronos to lean on Oracle/Java to provide some sort of a la carte security patching without bringing along new functionality? Write once, run anywhere... Except the latest JVM :) --Randall On Apr 11, 2012, at 2:06 PM, Roger A Safian wrote:
Maybe we could collectively lean on Kronos? They suggested this to us as well, and it's completely unacceptable behavior (IMHO) for a company whose product deals with this type of information to have such a casual attitude towards security.-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Pirolo Sent: Wednesday, April 11, 2012 12:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Kronos + Java Not familiar with Kronos, but have you explored installing multiple versions of Java on the computer? Some apps let you specify the java folder, either through a config file or in the registry. David Pirolo Warner Pacific College On Wed, 2012-04-11 at 11:39 -0400, David Shettler wrote:We are encountering a series of problems with our timecards vendor Kronos and Oracle's latest Java release. Java 1.6_31 causes sporadic problems in Kronos. Kronos support has proposed the solution that we down-rev java on client workstations until they release their new version which will happen "soon". 1.6_31 has been out since February. We're not willing to put hundreds of Kronos users' at risk by down-reving Java given the prevalence of malware exploiting earlier versions on the web, we've been struggling to do just the opposite since February, but even if we were: Firefox has blocklisted any earlier versions, and Apple has deployed 1.6_31 to counter new mac-malware. Are other Kronos users experiencing this issue? Are you permitting down-reving of java? Are you applying pressure on Kronos? We're hitting a brick wall with them, and their proposed solution seems archaic. Thank you kindly, David Shettler Information Security Officer College of the Holy Cross ------------------------------------------ ITS will never request your password via email.
Current thread:
- Kronos + Java David Shettler (Apr 11)
- Re: Kronos + Java David Pirolo (Apr 11)
- Re: Kronos + Java Roger A Safian (Apr 11)
- Re: Kronos + Java David Shettler (Apr 11)
- Re: Kronos + Java Roger A Safian (Apr 11)
- Re: Kronos + Java Embry, Randall Paul (Apr 11)
- Re: Kronos + Java Roger A Safian (Apr 11)
- Re: Kronos + Java David Pirolo (Apr 11)
- Re: Kronos + Java Steve Brukbacher (Apr 11)
- Re: Kronos + Java David Grisham (Apr 11)