Re: Java vs. Banner

[David Curry <david.curry () NEWSCHOOL EDU>]

The most up-to-date information we know of for Banner Java 7 support is the
table in the Ellucian Java FAQ that was last updated on Feb. 14th. I'm
hesitant to post details from that document in a public forum as I don't
know its disclosure rules, but suffice to say it does not leave us feeling
very warm and fuzzy.

--Dave


--

*DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY

*THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry () newschool edu



On Thu, Feb 21, 2013 at 1:24 PM, Shalla, Kevin <kshalla () uic edu> wrote:

>  Dave,****
>
> ** **
>
> I heard that Ellucian released a statement on 12/5 indicating they are
> still wrapping up testing for Banner Administrative Forms with Java 7 and
> hoped to have general support available in January or February.  We’re not
> holding our breath, and I see you’re not either.  We’ve been advising
> people to use IE only for Banner and other on-campus systems.  For anything
> off campus they’re supposed to use Firefox with Java disabled.****
>
> ** **
>
> Kevin****
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *David Curry
> *Sent:* Thursday, February 21, 2013 12:09 PM
>
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Java vs. Banner****
>
> ** **
>
> As those of you at schools using Banner know, Ellucian has still not
> certified Banner to run on Java 7; Java 6 (including the browser plug-in)
> must be installed on end users' desktops. Java 6, of course, has reached
> the end of its public update period, which means any future updates after
> the end of this month will come through Ellucian rather than Oracle (or so
> they tell us).****
>
> ** **
>
> Aside from the increased difficulty of trying to keep a down-rev version
> of Java installed on systems used by Banner users, especially since our
> users have admin rights and are therefore free to update Java when they
> want and will do so if another application asks them to, we are of course
> concerned that maintaining a down-rev version of the Java plug-in will
> expose these systems to increased risk of compromise because of security
> vulnerabilities. This is particularly worrying because, of course, the
> people who use Banner are also the people who work with lots of personally
> identifiable information.****
>
> ** **
>
> Java 7 support from Ellucian doesn't appear to be imminent, so we believe
> we need to find a medium-term solution to this problem that lets our Banner
> users continue to use Java 6, but does not expose them to increased risk by
> allowing them to use a browser containing the Java 6 plug-in to access the
> Internet. We have some preliminary thoughts on ways to address the issue,
> ranging from "use this browser to access Banner and that browser to access
> the Internet" (which doesn't come with a very high assurance level) to
> installing Windows XP Compatibility Mode on all Banner users' machines and
> running Banner+Java 6 in a virtual machine (a lot of work to implement).**
> **
>
> ** **
>
> Before we go one way or the other, we thought we'd ask the list -- what is
> your school doing in response to the whole Java vs. Banner thing?****
>
> ** **
>
> Thanks,****
>
> --Dave****
>
>
> ****
>
> ** **
>
> --****
>
> *DAVID A. CURRY, CISSP* • DIRECTOR OF INFORMATION SECURITY****
>
> *THE NEW SCHOOL* • 55 W. 13TH STREET • NEW YORK, NY 10011****
>
> +1 212 229-5300 x4728 • david.curry () newschool edu ****