Educause Security Discussion mailing list archives
Re: Java problems
From: Chuck Braden <j-braden () TAMU EDU>
Date: Mon, 14 Jan 2013 15:42:46 +0000
I am providing the comments below as they are written - can't be confirmed one way or the other http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-expl oit/#comments Rabid Howler Monkey January 12, 2013 at 2:06 pm <http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exp loit/comment-page-1/#comment-140930> With regard to the difference of opinion between CERT and the National Vulnerability Database (i.e., NIST) on the vulnerability of Java SE versions prior to Java SE 7, inspection of the NIST link in the article indicates that Java SE 6 Update 35 and previous versions are vulnerable. Java SE 6 is currently at Update 38 and, therefore, would not be vulnerable. Thus, for Java SE 6 users, the safe thing to do is insure that you are running Update 38, and if not, update your Java to Update 38 from Oracle's download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html P.S. 1 Am not taking sides on the CERT NIST dispute. P.S. 2 Given that Oracle has been automatically migrating its Java SE 6 users to Java SE 7 starting as far back as November, 2012, it would appear that the miscreants may have timed their attack with this Java SE 7 exploit such that most Java SE users have the vulnerable version installed on their PCs. If true, then this whole thing could be characterized as an ambush. All the miscreants had to do was wait for Oracle to mostly complete the automatic migration of its Java SE 6 users to SE 7. http://1.gravatar.com/avatar/f556deeff7d35483da58a973d49d5fca?s=36&d=%3Cpath _to_url%3E&r=PGLuca <http://blog.nibblesec.org> January 13, 2013 at 9:18 pm <http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exp loit/comment-page-1/#comment-141233> Q: I'm using Java 6. Does that mean I don't have to worry about this? There are two different issues involved in this attack. (a) MBeanInstantiator affecting Java6 and Java7 and (b) Reflection API abuse affecting Java7 only That's the reason for such a confusion. Btw, Adam Gowdiak confirmed it - being a world-class security expert for Java we can just listen him and agree. Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden () tamu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chuck Braden Sent: Monday, January 14, 2013 9:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Java problems Everything I am reading says the most current version of 1.6 is not vulnerable to the zero day currently being exploited. However, you got all of 1 month before 1.6 goes End-of-life. The initial announcement about 1.7.11 seems to indicate the vulnerabilities identified in the last week are addressed with 1.7.11 http://nakedsecurity.sophos.com/2013/01/13/oracle-releases-cve-2013-0422-pat ch-for-java/ So here's some good news: Oracle has been on the ball and has already come out with a patch. Java 7 Update 11 <http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html> fixes both CVE-2013-0422 and a second vulnerability. I also saw a couple of links that says 1.7.11 is still vulnerable - but it seems the existing code implemented a work around. http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could- take-two-years-7000009756/ http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-h as-bugs-says-expert Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden () tamu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin Sent: Monday, January 14, 2013 9:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Java problems Here's a Chicago Tribune story on Java security problems: http://www.chicagotribune.com/business/technology/chi-java-update-oracle-upd ates-java-security-experts-say-bugs-remain-20130114,0,7822126.story We use Java 6 in order to run Banner. This article seems to suggest that Java 6 doesn't have the problem. People in my department have started to ask me what to do. What do you all think? Kevin
Attachment:
smime.p7s
Description:
Current thread:
- Java problems Shalla, Kevin (Jan 14)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Roger A Safian (Jan 14)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Louis APONTE (Jan 14)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Louis APONTE (Jan 14)
- Re: Java problems Ludwig, David C. (Feb 01)
- Re: Java problems Dave Koontz (Feb 01)
- Re: Java problems McClenon, Brady (Jan 14)
- Re: Java problems Chuck Braden (Jan 14)