 |
 |
Without knowing the recommendation from IT Services regarding JRE 6 for DocViewer I installed JRE 7 on a Windows 7 computer for a user that uses DocViewer on a periodic basis for a limited set of reports that she cannot get from EBS or anywhere else. FYI: Her computer has had Java 7 Update 7 since October without any problems with DocViewer. -Stefan On 2/5/2013 4:02 PM, Cooke, Tony wrote: > > We were recently informed by IT Services that Java 6 update 23 was recommended > for use with DocViewer. The latest release of Java 6 is update 39. > > Check out this "Risk Matrix". Observe that a large number of vulnerabilities > are low complexity, complete, and affect Java 6 update 38 and below: > > http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html#AppendixJAVA > > Of course, this is completely separate from the fact that "After February > 2013, Oracle will no longer post updates of Java SE 6 to its public download > sites." http://www.java.com/en/download/faq/java_6.xml > > Since the University recommends/requires out of date/unsupported software, > which has known vulnerabilities, are we not being required to put ourselves at > risk? If so, is it an acceptable risk? > > -Tony > > PS: I had a bit of déjà vu writing this, but couldn't find a relevant thread > in the NAG archives. > > *From:*Carl Bussema III [mailto:[log in to unmask]] > *Sent:* Tuesday, February 05, 2013 1:59 PM > *To:* [log in to unmask] > *Subject:* Re: [MSUNAG] JRE 6 Extended Support > > SqlDeveloper 3.2 (released November 2012), which is the recommended way to > connect to the EBS Data Warehouse, runs on Java 1.6.x. It sort of runs on 1.7, > but it's officiallly Not Supported (TM) and produces a Big Nasty Warning and > has some odd quirks. The consensus is that depending on what features of it > you're using, you may or may not be able to live with 1.7. AFAIK, no official > plans have been announced for Oracle to update this software to run with Java 1.7. > > That said, it's perfectly happy using Java 1.6 while Java 1.7 is installed and > is the default, so I'm not sure what that does for your security vulnerability. > > > Carl Bussema III > > Information Technologist > > Michigan State University Outreach & Engagement > > Phone: (517) 353-8977 . Fax: (517) 432-9541 > > [log in to unmask] <mailto:[log in to unmask]> > > On Tue, Feb 5, 2013 at 1:41 PM, STeve Andre' <[log in to unmask] > <mailto:[log in to unmask]>> wrote: > > On 02/05/13 13:36, David Graff wrote: > > On Tue, 5 Feb 2013 13:28:47 -0500, STeve Andre' <[log in to unmask] > <mailto:[log in to unmask]>> wrote: > > On 02/05/13 13:24, David Graff wrote: > > Is anyone else in a situation where they need extended support on a > now-defunct version of the Java Runtime? We run an application that will > only work with JRE 6, which is hitting support EOL at the end of the month. > The application launches through the browser plugin, and at the rate that > Java vulnerabilities are coming out that could prove to be a huge liability. > > Given the wonderful track record of Java as of late, I would spend > money to fix this if at all possible. NO ONE I know who uses Java > is resisting the move to 1.7 -- staying current with Java has proved > as important as keeping Flash current. > > If this is some proprietary thing, I'd lean heavily on the place that > makes it to allow for an upgrade. > > --STeve Andre' > > Unfortunately, 1.7 isn't an option. It's a canned product that is then > customized in-house, and we are a couple releases behind. The latest version > dumps the JRE for a standard Oracle Forms interface, but all the existing > content has to be re-written before that upgrade can occur and I'm expecting > that to take a few years. > > Believe me, I would love to rip out every single JRE install and never touch > that terrible software again but it just isn't an option. > > I understand. That being the case I would isolate the machine > as much as possible. I'd keep it off the net entirely and bring > in data only when reconnected, or by USB device. > > The latest 1.7 update contains a horrifying number of fixes, > and most of those problems are in 1.6. That box is going to > be a real horror if some nasty Java exploit is in the wild and > hits it. > > --STeve Andre' >