+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 30
Downloads Thread, Java Runtime Environment 7 Update 51 released. 36 vulnerabilities fixed! in Links, Downloads and Scripts; Let's get critical, critical! Java SE 7 Update 51 (expires 15th April 2014) Download ( Windows : 32-bit , 64-bit ...
  1. #1


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,123
    Thank Post
    203
    Thanked 2,387 Times in 1,767 Posts
    Rep Power
    703

    Java Runtime Environment 7 Update 51 released. 36 vulnerabilities fixed!

    Let's get critical, critical!

    Java SE 7 Update 51 (expires 15th April 2014)
    Download (Windows: 32-bit, 64-bit / OS X: 64-bit) / Release Notes / Risk Matrix

    January 2014 Critical Patch Update Released
    This Critical Patch Update also provided 36 security fixes for Java SE. 34 of these Java SE vulnerabilities may be remotely exploitable without authentication. Only 3 of these vulnerabilities are relevant to Java SE or JSSE server deployments, but are not server side specific (that is they also affect client deployments). The maximum CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0. This score affects 5 vulnerabilities (one of them being applicable to server deployments, that is, it can be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets).

    As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible. While a successful exploitation of a number of the vulnerabilities addressed by this Critical Patch Update may not be possible in many customers’ deployments because the affected component is not installed or cannot be easily accessed by malicious attacker, a prompt application of the Critical Patch Update will help ensure that “security in depth” is maintained in the environment. IT environments are dynamic in nature, and systems configurations and security controls (e.g., network access control policies) often change over time. Applying the Critical Patch Update and other vendors’ relevant security patches helps ensure that the related security controls continue to work, should one of the systems fail or its control be circumvented during an attack. (Source)

  2. 3 Thanks to Arthur:

    3s-gtech (15th January 2014), kmount (15th January 2014), sonofsanta (15th January 2014)

  3. #2


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,657
    Thank Post
    350
    Thanked 789 Times in 710 Posts
    Rep Power
    344
    Well worth being aware that starting in u51 that the lack of a jar manifest permission attribute 'blocks' running of the applet instead of just warning as it did on u45.

    A lot of java applications will break as a result of this, contact your vendors for updated applications that have this attribute in place.

    The alternatives I'm aware of at the moment are you could use deployment rule sets to whitelist applets, or in dire emergency turning off java security (but we wouldn't want to do that of course!).

  4. 2 Thanks to kmount:

    Arthur (15th January 2014), RageSto (15th January 2014)

  5. #3
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    794
    Thank Post
    37
    Thanked 59 Times in 56 Posts
    Rep Power
    16
    DRS is the way to go. Pain to serup though.

  6. #4

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,540
    Thank Post
    831
    Thanked 609 Times in 412 Posts
    Rep Power
    432
    Quote Originally Posted by kmount View Post
    Well worth being aware that starting in u51 that the lack of a jar manifest permission attribute 'blocks' running of the applet instead of just warning as it did on u45.

    A lot of java applications will break as a result of this, contact your vendors for updated applications that have this attribute in place.

    The alternatives I'm aware of at the moment are you could use deployment rule sets to whitelist applets, or in dire emergency turning off java security (but we wouldn't want to do that of course!).
    Yeah we've had to release an XML file at the Uni here to whitelist a program called "Banner"
    Gonna hang fire and see if someone publishes a list of borked apps..

    The more people that move away from Java / Flash and towards HTML5 - the better!

  7. #5
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    264
    Thank Post
    4
    Thanked 26 Times in 22 Posts
    Rep Power
    12
    I'm looking at setting up the exceptions list to white list the unsigned applets.
    https://blogs.oracle.com/java-platfo...n_site_list_in
    However this appears to be a user setting only. I've tried adding a line to my deployment config to specify a system path

    here is my deployment config

    Code:
    deployment.system.config=file\:C\:/WINDOWS/Sun/Java/Deployment/deployment.properties
    deployment.user.security.exception.sites=file\:C\:/WINDOWS/Sun/Java/Deployment/exception.sites
    deployment.system.config.mandatory=true
    If the best way to white listing these apps at the system level is a deployment rule set, please point me to a good example.

    Also it wouldn't be too difficult to copy the exceptions.sites file to each user at logon if that would be the best way to manage it.

    Thanks for your input.

  8. #6
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    264
    Thank Post
    4
    Thanked 26 Times in 22 Posts
    Rep Power
    12
    OK Folks,
    I think I have it figured out.

    I had to drop the file from my path, and add it to the deployment properties not deployment config

    Code:
    deployment.user.security.exception.sites=C\:/WINDOWS/Sun/Java/Deployment/exception.sites
    Now create a plain text file named exception.sites and add one url per line according to oracle blog linked above.
    A plain text file has to be better to manage than resigning a jar every time I need to add a site to the list.

    This solution requires a bit more testing. It was successful on a windows 7 x86 machine.

    I hope this helps someone else with their java update.

  9. 2 Thanks to ADMaster:

    AngryTechnician (16th January 2014), kmount (16th January 2014)

  10. #7
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,254
    Thank Post
    75
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    How would I allow access to :

    GCSE Computing: Programming - LMC

    for my students across the network once we update to 51?

    Is there anyway to do this via a policy?

  11. #8
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,254
    Thank Post
    75
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    I've edited my copy of the "exception.sites" file and put it somewhere central.

    I need to work out now how to copy this file at logon time to every users folder :

    C:\Users\(username)\AppData\LocalLow\Sun\Java\Depl oyment\security\

  12. #9
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    264
    Thank Post
    4
    Thanked 26 Times in 22 Posts
    Rep Power
    12
    Hi Kenny,
    I considered using GPP for this to copy the file at log on, or a log on script.
    However you can modify the deployment properties file to tell java where your exception.sites are. See my post #6 above for the line I used.
    This will allow you to set the file once for the machine which works nicer with SCCM, you can also use GPP or script at the machine level.
    Cheers

  13. #10
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,254
    Thank Post
    75
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Quote Originally Posted by ADMaster View Post
    Hi Kenny,
    I considered using GPP for this to copy the file at log on, or a log on script.
    However you can modify the deployment properties file to tell java where your exception.sites are. See my post #6 above for the line I used.
    This will allow you to set the file once for the machine which works nicer with SCCM, you can also use GPP or script at the machine level.
    Cheers
    But the deployment properties file on my system is in :

    C:\Users\(username)\AppData\LocalLow\Sun\Java\Depl oyment

    So I'd still need a way to edit or replace this file for all users...

    Unless I am missing something

  14. #11
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,254
    Thank Post
    75
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Is it possible to edit the JAVA MSI using ORCA to make the changes such that the "exception.sites" file is stored somewhere else?

    I've successfully edited the MSI and added to the properties table the line :

    "WEB_JAVA_SECURITY_LEVEL", value = M

    Tested and this allows the previously blocked JAVA applet from running, with just a user clearable warning - not ideal, but some progress!

  15. #12
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    264
    Thank Post
    4
    Thanked 26 Times in 22 Posts
    Rep Power
    12
    There is a system properties file and a user properties file. That is the default location for the user level properties.
    To use the system level properties you need to create a deployment.config file and place it in c:\windows\sun\java\deployment
    It should look like this

    Code:
    deployment.system.config=file\:C\:/WINDOWS/Sun/Java/Deployment/deployment.properties
    deployment.system.config.mandatory=true
    Then create your deployment.Properties file in the same directory
    Here is a snip from my deployment.properties the first one specifies that the exception.sites should be in this same directory.

    Code:
    deployment.user.security.exception.sites=C\:/WINDOWS/Sun/Java/Deployment/exception.sites
    deployment.browser.vm.iexplorer.locked
    deployment.browser.vm.iexplorer=true
    deployment.browser.vm.mozilla.locked
    deployment.browser.vm.mozilla=true
    deployment.expiration.check.enabled=false
    deployment.security.level=HIGH

    I don’t know what deployment method you use but here is the batch I use to create the directory and copy the files.
    Code:
    mkdir %SystemRoot%\Sun\Java\Deployment
    copy deployment.config %SystemRoot%\Sun\Java\Deployment\ /Y
    copy deployment.properties  %SystemRoot%\Sun\Java\Deployment\ /Y
    copy exception.sites %SystemRoot%\Sun\Java\Deployment\ /Y
    Hope this helps

  16. 2 Thanks to ADMaster:

    kennysarmy (17th January 2014), mwbutler (7th February 2014)

  17. #13
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,254
    Thank Post
    75
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Great, I am sure that will be useful to others too....

    I'd almost got there before I left last night but had nt go the deployment.config file sorted...

    Also my deployment.properties file had the following lines:


    deployment.user.security.exception.sites=C\:/WINDOWS/Sun/Java/Deployment/exception.sites
    deployment.modified.timestamp=1389886838677
    deployment.javaws.splash.index=C\:\\Users\\sadmin\ \AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\ 6.0\\splash\\splash.xml
    deployment.version=7.21
    deployment.javaws.jre.0.product=1.7.0_51
    deployment.javaws.jre.0.registered=true
    deployment.javaws.jre.0.osname=Windows
    deployment.javaws.jre.0.platform=1.7
    deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe
    deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
    deployment.javaws.jre.0.enabled=true
    deployment.javaws.jre.0.osarch=x86

  18. #14
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,254
    Thank Post
    75
    Thanked 45 Times in 31 Posts
    Rep Power
    30
    Tested and deployed to a computer suite.

    All working fine now.

    Created a startup policy that calls the batch file - thanks for your help!

  19. #15

    Join Date
    May 2012
    Posts
    235
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I will be going down this path tomorrow bright and early.

    If anyone could post their deployment.config and exception.sites that would be very helpful to get an idea of what is needed. Id like to remove prompt for updates as well, as with sccm we will manage java releases now.

    From what i can tell does the deployment.config reside in the same location as the where the .jar file would be (which is a pain to package) c:\windows\sun\java\deployment ?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 24
    Last Post: 17th April 2014, 06:30 PM
  2. Replies: 0
    Last Post: 19th June 2013, 05:41 AM
  3. Replies: 17
    Last Post: 24th April 2013, 01:41 PM
  4. Replies: 4
    Last Post: 13th June 2012, 09:11 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •