Oracle Java 7 Update 15 Released

[Arthur]

Update time!

Java SE 7 Update 15
Download (Windows: 32-bit, 64-bit) / Release Notes / Security Advisory

Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible.

Oracle today released the updated February 2013 Critical Patch Update for Java SE. As discussed in a previous blog entry, the purpose of this update is to deliver 5 additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th. Note that since Critical Patch Updates for Java SE are cumulative, this Critical Patch Update release also includes all previously-released Java SE security fixes.

All but one of the vulnerabilities fixed today apply to client deployment of Java. This means that these 4 vulnerabilities can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers. Three of these vulnerabilities received a CVSS Base Score of 10.0. As I stated before, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running the malicious Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System.

The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE). This fix is for a vulnerability commonly referred as the “Lucky Thirteen” vulnerability in SSL/TLS (CVE-2013-0169). This vulnerability has received a CVSS Base Score of 4.3.

Finally, note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers. As a result, we will be issuing a Critical Patch Update for Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products. The next scheduled release dates for the Critical Patch Update for Java SE are therefore: April 16, 2013; June 18, 2013; October 15, 2013; and January 14, 2014. (Source)

[SYNACK]

For once I pushed it a day after it came out rather than before, Yay. Watch them pull it in an hours time because of some horrible flaw they knew about but thought would not affect anyone.

[Arthur]

Nooooooooooooooo!!!!

Two more zero-day vulnerabilities in Java « Neowin

[AngryTechnician]

I'm thinking of advertising for a new position here of "Java and Flash Update Technician", it's starting to feel like a full time job.

[DrCheese]

^ haha yup. I update it one week & check the next week only to find it's jumped 4 versions in the meantime. Madness.

Is annoying as our remote access system uses java (SSL explorer)

[Michael]

Love the logo Arthur! Java's literally got to be the buggiest language in active use today!

[Arthur]

Love the logo Arthur! Java's literally got to be the buggiest language in active use today!

Oracle should replace the cup of Java in their logo with a colander (or perhaps a cafetière made of chocolate).

[Michael]

Oracle should replace the cup of Java in their logo with a colander (or perhaps a cafetière made of chocolate).

I couldn't agree more. I keep it off all default images and have done for sometime now. The MSI's themselves are also growing. They should release smaller cumulative updates rather than the whole application everytime.

[vikpaw]

Love the logo Arthur! Java's literally got to be the buggiest language in active use today!

Oracle should replace the cup of Java in their logo with a colander (or perhaps a cafetière made of chocolate).

You'll like the new installer screen then Java 7 Update 17

[BarryBKS]

Just out of interest,

Has anyone had major issues with updating Java via Silent deployment recently.

I pushed out 7u9 silently and it worked like a dream, (well it installed OK and showed as working).

My next update was 7u11, which I pushed out silently over the top of 7u9, but after going out, discovered the new security feature which stopped everything from working!

Investigated the required switches to deal with the security 'feature' and created an MST, tested and deployed. Once shipped out, I discovered that although no errors were reported during the install, it appeared that 7u11 wouldn't install over a previous version. Reason unknown.

Now have over 300 PCs with a falled install of Java 7u11! Tried to auto-removed the deployment, but this caused an error. Did a manual un-install and got an error box complaining of a missing un-install file, but this made sense as the installer had just finished un-installing and deleting the jre7 folder, so the file it was looking for no longer existed! Thanks Java.
OK, so 7u11 doesn't install correctly and you can't un-install the failed package due to the un-installer looking for a file after it has been deleted. On over 300 PCs!

Repaired the important PCs by manually un-installing 7u11, clearing the error message and then manually installing 7u11 with MST. But this was not a practical solution for the amount of machines needed to cover.

Then 7u15 is released. OK, tested installer. Works over existing 7u11 manual install. Created required MST, no, applied MST to msi using Orca as advised that his was more stable. Tested new 7u15 msi file on several machines randomly picked. Installs fine over manual 7u11. Ran several of the Java based packages which are used throughout the school and these worked fine.

Excellent, or not. Deployed edited msi silently across network. Install shows as successful, but software doesn't work. Error message that no Java Runtime is installed.
OK, auto-uninstall. No, same error message as before. Manual un-install and manual re-install. No java installed. Egh!!!!

Installed Revo, (Revo Uninstaller Pro), used Revo to uninstall Java package, scan for remaining registry keys, (some PCs had over 2000!), deleted keys and stray folders.

Manually installed edited 7u15 msi and Java now works! Still have the remaining 250 PCs to manually repair.

Question 1: Has anyone else had this issue?

Question 2: Has anyone had this or similar with 7u17, which I have just noticed, is now out?

Your thoughts would be appreciated.

[FN-GM]

Just out of interest,

Has anyone had major issues with updating Java via Silent deployment recently.

I pushed out 7u9 silently and it worked like a dream, (well it installed OK and showed as working).

My next update was 7u11, which I pushed out silently over the top of 7u9, but after going out, discovered the new security feature which stopped everything from working!

Investigated the required switches to deal with the security 'feature' and created an MST, tested and deployed. Once shipped out, I discovered that although no errors were reported during the install, it appeared that 7u11 wouldn't install over a previous version. Reason unknown.

Now have over 300 PCs with a falled install of Java 7u11! Tried to auto-removed the deployment, but this caused an error. Did a manual deployment and got an error box complaining of a missing un-install file, but this made sense as the installer had just finished un-installing and deleting the jre7 folder, so the file it was looking for no longer existed! Thanks Java.
OK, so 7u11 doesn't install correctly and you can't un-install the failed package due to the un-installer looking for a file after it has been deleted. On over 300 PCs!

Repaired the important PCs by manually un-installing 7u11, clearing the error message and then manually installing 7u11 with MST. But this was not a practical solution for the amount of machines needed to cover.

Then 7u15 is released. OK, tested installer. Works over existing 7u11 manual install. Created required MST, no, applied MST to msi using Orca as advised that his was more stable. Tested new 7u15 msi file on several machines randomly picked. Installs fine over manual 7u11. Ran several of the Java based packages which are used throughout the school and these worked fine.

Excellent, or not. Deployed edited msi silently across network. Install shows as successful, but software doesn't work. Error message that no Java Runtime is installed.
OK, auto-uninstall. No, same error message as before. Manual un-install and manual re-install. No java installed. Egh!!!!

Installed Revo, (Revo Uninstaller Pro), used Revo to uninstall Java package, scan for remaining registry keys, (some PCs had over 2000!), deleted keys and stray folders.

Manually installed edited 7u15 msi and Java now works! Still have the remaining 250 PCs to manually repair.

Question 1: Has anyone else had this issue?

Question 2: Has anyone had this or similar with 7u17, which I have just noticed, is now out?

Your thoughts would be appreciated.

Had problems in the past. When i deploy Java i first use the script in the link to remove all previous versions then do a clean install. I haven't had any issues at all doing it this way.

http://www.edugeek.net/forums/securi...tml#post916245

[BarryBKS]

Thanks FN-GM,

The script looks like it could be quite useful, but if it only runs the standard un-installer process, then I think it will probably fail with the missing un-installer file. Once the network is tidied up with respect to Java installs, I will certainly look at it as an option to keeping it tidy.

Cheers,

Barry.

[Arthur]

Has anyone else had this issue?

The best way to avoid problems I have found is to always uninstall the old version before you install the latest and edit the MST to prevent the JQS service from being installed.

[dana_lehman]

@BarryBKS
Java update 15 was a nightmare for me. I tested on a few random machines they reported no problems. I also deployed a JNLP reg fix I found on another thread here.
I then deployed java across the network, they reported a successful install, however looking in program files the .exe’s and several other files just were not there. Along with program files the exe are copied to system32 or syswow64 depending on your system.
I use pdq deploy and I noticed in the package library java 15 and java 15 alternate. They said there were issues upgrading from java 11. The alternate installer included a couple commands to delete the iava 11 installer information from the registry.
I modified this to delete the installer information for java update 15. Then on all the effected computers I ran the alternate installer to reinstall the update. This worked for most of them.
I had one computer that did not copy the needed files to system32, which is where the jnlp fix looks for the exes. I had to copy the files manually. I now have everyone on Java 7u15
Java updates are chaos because our grade book system uses java, and if the install breaks you have a mob of teachers that can’t do grades.
Now I find out another critical update was just released.

[sonofsanta]

And lo and behold, just as you've all got Java 7u15 out the door...

Overview

Oracle Java 7 update 15, Java 6 update 41, Java 5.0 update 40, and
earlier versions of Java contain a vulnerability that can allow a
remote, unauthenticated attacker to execute arbitrary code on a
vulnerable system.

Solution

Update Java
Oracle Security Alert for CVE-2013-1493 states that Java 7 Update 17
(7u17) and and Java 6 Update 43 address this vulnerability (CVE-2013-
1493) and a different but equally severe vulnerability (CVE-2013-0809).
Java 7 Update 17 sets the default Java security settings to "High" so
that users will be prompted before running unsigned or self-signed Java
applets.

(full text of alert)

I just checked the dates on my SCCM source folders, and 7u17 will be the 4th version I've pushed out this year:
* 7u11 - 2013-01-14
* 7u13 - 2013-02-05
* 7u15 - 2013-02-26
* 7u17 - 2013-03-07
If we didn't need the software for ECDL testing it'd be disabled right now.