Educause Security Discussion mailing list archives

Re: Java problems

From: Dave Koontz <dkoontz () MBC EDU>
Date: Fri, 1 Feb 2013 19:04:24 -0500

Thanks!   Seems like a never ending cycle.

JAVA = (J)ust (A)nother (V)ulnerable (A)pplication?  :-)


Sent from my iPad

On Feb 1, 2013, at 5:50 PM, "Ludwig, David C." <dludwig () MIDDLEBURY EDU> wrote:

Full patch was just released - http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Also we recently got some clarity regarding end of life support for Java 6.  Public updates will no longer be 
released, but we can still get updates until 2017 as part of Oracle “support for life” via either Ellucian or our 
Oracle Site license. 
 
David Ludwig
Manager of Administrative Systems
Library & Information Systems Middlebury College
14 Old Chapel Road
Middlebury, VT 05753
Office: (802) 443-5692
Skype: Davidcludwig
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Louis 
APONTE
Sent: Monday, January 14, 2013 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Java problems
 
Brady
 
What I was hoping to address was that users can not be told they are okay, but rather that they should be at u38. 
I think its been fairly well established this is a 1.7 issue. Some of my users will not update consistently, so this 
is the opportunity to have them caught up. No reference to patching 1.6 was intended.
 
la
On 1/14/2013 at 8:53 AM, in message <5220D448876FCD43ABAD3F71AC8184483BA2408422 () EXCHANGE2007 oneonta edu>, 
"McClenon, Brady" <Brady.McClenon () ONEONTA EDU> wrote:
Update 38 was released on 11/12/2012.   It doesn’t contain a patch to address a vulnerability Oracle was notified of 
on 1/11/2013.
 
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Louis 
APONTE
Sent: Monday, January 14, 2013 10:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Java problems
 
On the SE download page Oracle advises all version 6 users to move to update 38, not really a stand down as your not 
affected.
 
The latest updates to that page (as of Sept. 19, 2012) state (emphasis added):
Java SE 6 End of Public Updates Notice
After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 
downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. 
Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public 
download. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as 
general maintenance for Java SE 6 or older versions, long term support is available through Oracle Java SE Support .
 
What does this mean for Oracle E-Business Suite users?
EBS users fall under the category of "enterprise users" above.  Java is an integral part of the Oracle E-Business 
Suite technology stack, so EBS users will continue to receive Java SE 6 updates after February 2013.
In other words, nothing will change for EBS users after February 2013. 
 
The eBusiness and normal users support has created added additional confusion about Java 6.

On 1/14/2013 at 08:21 AM, in message <5220D448876FCD43ABAD3F71AC8184483BA24083E6 () EXCHANGE2007 oneonta edu>, 
"McClenon, Brady" <Brady.McClenon () ONEONTA EDU> wrote:

From http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
 
Affected product releases and versions:
Java SE
Patch Availability
JDK and JRE 7 Update 10 and earlier
Java SE



Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.
 
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger 
A Safian
Sent: Monday, January 14, 2013 10:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Java problems
 
I’m not sure if they’re correct or not, but, even assuming they are.  Since Java 6 is basically not supported any 
more, how long do you think you can safely continue to use it?  Seems like at best you have just kicked the can down 
the road a little.
 
FWIW, I’d like to be wrong on this, since we use Kronos, and it has the same issue.  We’re recommending the non-java 
version right now.
 
Hopefully Oracle will put out some news today…
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shalla, Kevin
Sent: Monday, January 14, 2013 9:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Java problems
 
Here’s a Chicago Tribune story on Java security problems:
http://www.chicagotribune.com/business/technology/chi-java-update-oracle-updates-java-security-experts-say-bugs-remain-20130114,0,7822126.story
 
We use Java 6 in order to run Banner.  This article seems to suggest that Java 6 doesn’t have the problem.  People in 
my department have started to ask me what to do.  What do you all think?
 
Kevin

Current thread:

Java problems Shalla, Kevin (Jan 14)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Roger A Safian (Jan 14)
  - Re: Java problems McClenon, Brady (Jan 14)
    - Re: Java problems Louis APONTE (Jan 14)
    - Re: Java problems McClenon, Brady (Jan 14)
    - Re: Java problems Louis APONTE (Jan 14)
    - Re: Java problems Ludwig, David C. (Feb 01)
    - Re: Java problems Dave Koontz (Feb 01)
- Re: Java problems Chuck Braden (Jan 14)
  - Re: Java problems Chuck Braden (Jan 14)
- Re: Java problems Ludwig, David C. (Jan 14)
- Re: Java problems Kevin Halgren (Jan 14)