Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Java 7 Officially Released - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java 7 Officially Released

Oracle officially released Java 7, including some security updates and several new features and enhancements. Thanks ISC reader Alex for notifying us about it.

The new Java 7 version coexists with the latest Java 6 Update 27 version and is available for download from the Oracle web site, http://www.oracle.com/technetwork/java/index.html, and still makes use of different installers for the 32 and 64-bit versions for all operating systems (Linux, Solaris & Windows).

As you can see in the release notes, the main security enhancements affect the JSSE (Java Secure Socket Extension) and TLS communications, including TLS v1.1 and v1.2 as well as Server Name Indication (SNI) support.

Java 7 does not remove any previous Java versions; I guess this is the intended behavior as this is a major release. From a security perspective, if Java 7 is installed (using Windows as the sample platform) on a system that already has Java 6 installed, both versions will remain, so if you only want to run the latest version, ensure you uninstall any previous versions (as we had to do in the past but with the same major release) and do not leave vulnerable Java 6 releases around.

Considering Java is one of the most targeted pieces of client software today, be ready for future updates on both, Java 6 and Java 7 in your IT environments (perhaps Java 6u28 and Java 7u1), and plan in advance how to manage them.

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com

Raul Siles

152 Posts
The H article "Oracle retires licence for distributing its Java with Linux (http://www.h-online.com/open/news/item/Oracle-retires-licence-for-distributing-its-Java-with-Linux-1332835.html) indicates that users that previously had easy access to packages may not be getting them anymore.

Worst, many unsuspecting user may expect their linux package manager to take care of their security updates.

Does this means many Linux users may unknowing be taking a risk here, by not been updated at all (java7)?
Anonymous
Mic, as you know, licensing and distribution are two different but related worlds. Definitely the change seems to have a future impact in the Java users update behavior, and Oracle is pointing to OpenJDK 6 or 7 as the Linux open-source reference.

Users will need to switch to OpenJDK, or if they continue using the official JRE or JDK, get updates through the potential Oracle Java auto update processes or manually, but their Linux distribution won't be able to provide new updates.

If this information is not widely spread by Oracle and Linux distros, it basically will mean more vulnerable Java versions around for the same Linux package manager blind trust you mention.
Raul Siles

152 Posts
Looks like its not really ready for release yet.

Quote:
Why is Java SE 7 not yet available on java.com?

The new release of Java is first made available to the developers to ensure no major problems are found before we make it available on the java.com website for end users to download the latest version. If you are interested in trying Java SE 7 it can be downloaded from Oracle.com

TexISO

19 Posts

Sign Up for Free or Log In to start participating in the conversation!