We
were recently informed by IT Services that Java 6 update 23
was recommended for use with DocViewer. The latest release
of Java 6 is update 39.
Check
out this “Risk Matrix”. Observe that a large number of
vulnerabilities are low complexity, complete, and affect
Java 6 update 38 and below:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html#AppendixJAVA
Of
course, this is completely separate from the fact that
“After February 2013, Oracle will no longer post updates of
Java SE 6 to its public download sites.” http://www.java.com/en/download/faq/java_6.xml
Since
the University recommends/requires out of date/unsupported
software, which has known vulnerabilities, are we not being
required to put ourselves at risk? If so, is it an
acceptable risk?
-Tony
PS:
I had a bit of déjà vu writing this, but couldn’t find a
relevant thread in the NAG archives.
From:
Carl Bussema III [mailto:[log in to unmask]]
Sent: Tuesday, February 05, 2013 1:59 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] JRE 6 Extended Support
SqlDeveloper 3.2 (released November
2012), which is the recommended way to connect to the EBS
Data Warehouse, runs on Java 1.6.x. It sort of runs on 1.7,
but it's officiallly Not Supported (TM) and produces a Big
Nasty Warning and has some odd quirks. The consensus is that
depending on what features of it you're using, you may or
may not be able to live with 1.7. AFAIK, no official plans
have been announced for Oracle to update this software to
run with Java 1.7.
That said, it's perfectly happy using
Java 1.6 while Java 1.7 is installed and is the default, so
I'm not sure what that does for your security
vulnerability.
Michigan
State University Outreach & Engagement
Phone:
(517) 353-8977 • Fax: (517) 432-9541
On Tue, Feb 5, 2013 at 1:41 PM, STeve
Andre' <[log in to unmask]>
wrote:
On 02/05/13 13:36, David Graff wrote:
On Tue,
5 Feb 2013 13:28:47 -0500, STeve Andre' <[log in to unmask]> wrote:
On 02/05/13 13:24, David Graff wrote:
Is
anyone else in a situation where they need extended
support on a
now-defunct version of the Java Runtime? We run an
application that will
only work with JRE 6, which is hitting support EOL at
the end of the month.
The application launches through the browser plugin, and
at the rate that
Java vulnerabilities are coming out that could prove to
be a huge liability.
Given the wonderful track record of
Java as of late, I would spend
money to fix this if at all possible. NO ONE I know who
uses Java
is resisting the move to 1.7 -- staying current with
Java has proved
as important as keeping Flash current.
If this is some proprietary thing, I'd lean heavily on
the place that
makes it to allow for an upgrade.
--STeve Andre'
Unfortunately,
1.7 isn't an option. It's a canned product that is then
customized in-house, and we are a couple releases
behind. The latest version
dumps the JRE for a standard Oracle Forms interface, but
all the existing
content has to be re-written before that upgrade can
occur and I'm expecting
that to take a few years.
Believe me, I would love to rip out every single JRE
install and never touch
that terrible software again but it just isn't an
option.
I understand. That being the case I
would isolate the machine
as much as possible. I'd keep it off the net entirely and
bring
in data only when reconnected, or by USB device.
The latest 1.7 update contains a horrifying number of fixes,
and most of those problems are in 1.6. That box is going to
be a real horror if some nasty Java exploit is in the wild
and
hits it.
--STeve Andre'
