Educause Security Discussion mailing list archives
Re: Kronos + Java
From: David Grisham <Dgrisham () SALUD UNM EDU>
Date: Wed, 11 Apr 2012 13:46:51 -0600
I replied to David separately and will be putting in a ticket on the issue. However, We worked through this issue by only allowing Kronos connections through Citrix. This allows the desktops to receive the latest version of Java with security fixes while limiting our risk to one or two Citrix servers. We also limit access to the Citrix servers from within the organization and have the ability to remove the Citrix server and rebuild quickly if a risk comes to infection. -- -- Not perfect. But we have to have the product right now with the outdated Java. Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131 933 Bradbury Drive, SE
Steve Brukbacher <sab2 () UWM EDU> 4/11/2012 11:55 AM >>>
We were never able to really solve this problem either. We don't use Kronos any longer (thank goodness). It was very disappointing that the vendor did not do their part to help us keep our community secure. -- Steve Brukbacher, CISSP Information Security Officer University of Wisconsin Milwaukee Information Security Team www.security.uwm.edu Direct Phone: 414.229.2224 Security Office: 414.229.1100 On 4/11/12 10:39 AM, David Shettler wrote:
We are encountering a series of problems with our timecards vendor Kronos and Oracle's latest Java release. Java 1.6_31 causes sporadic problems in Kronos. Kronos support has proposed the solution that we down-rev java on client workstations until they release their new version which will happen "soon". 1.6_31 has been out since February. We're not willing to put hundreds of Kronos users' at risk by down-reving Java given the prevalence of malware exploiting earlier versions on the web, we've been struggling to do just the opposite since February, but even if we were: Firefox has blocklisted any earlier versions, and Apple has deployed 1.6_31 to counter new mac-malware. Are other Kronos users experiencing this issue? Are you permitting down-reving of java? Are you applying pressure on Kronos? We're hitting a brick wall with them, and their proposed solution seems archaic. Thank you kindly, David Shettler Information Security Officer College of the Holy Cross ------------------------------------------ ITS will _*never*_ request your password via email.
Current thread:
- Kronos + Java David Shettler (Apr 11)
- Re: Kronos + Java David Pirolo (Apr 11)
- Re: Kronos + Java Roger A Safian (Apr 11)
- Re: Kronos + Java David Shettler (Apr 11)
- Re: Kronos + Java Roger A Safian (Apr 11)
- Re: Kronos + Java Embry, Randall Paul (Apr 11)
- Re: Kronos + Java Roger A Safian (Apr 11)
- Re: Kronos + Java David Pirolo (Apr 11)
- Re: Kronos + Java Steve Brukbacher (Apr 11)
- Re: Kronos + Java David Grisham (Apr 11)