Most of us are aware of this by now, but I received the following, very well written explanation of the problem and steps to take at this point.\u00a0 As before, when I get these, and feel they should be given a wider audience, I will repost for the CNSIT community.<\/p>\n
“As everyone is probably painfully aware, Java has some major problems right now\u2026 and Oracle hasn\u2019t been overly convincing in providing a fix, despite releasing a patch over the weekend. The Department of Homeland Security has reiterated its recommendation to uninstall\/disable Java, but we rely heavily on Java for a few critical applications and we can\u2019t just shut it down. So what I can do is outline the issues, give an overview of the CSU use cases, and make our best recommendation. Alas, there\u2019s not a clean, elegant way to solve this that both enables and protects our mission-critical applications.<\/p>\n
Java version numbering can be a bit confusing, so here\u2019s a quick primer:<\/p>\n
\n
- \u201cJava 7\u201d is a shorthand notation for the Java Standard Edition numbered 1.7.x, where the \u2018x\u2019 is the update number. The other naming scheme that tends to be used looks like Java 7ux (for example, Java 7u11). The problematic update that contained the most recent critical security vulnerability was 1.7.10, or Java 7u10. The patch released to fix that problem is 7u11, and is the most recent version that a web download or auto-updater should install.<\/li>\n
- \u201cJava 6\u201d is the similar naming scheme for the previous major release; the most recent patch of that line is 6u38. It\u2019s not perfect from a security point of view, and it lacks some of the functionality introduced in the Java 7 line, but it has continued to receive updates and it does seem to be immune from the particular vulnerability introduced last week. It\u2019s also the required version for our central Oracle apps (read on\u2026). That update can be accessed on Oracle\u2019s Java 6 download site: http:\/\/www.java.com\/en\/download\/manual_v6.jsp<\/li>\n<\/ul>\n
The major applications\/suites on campus that use Java: (there are others in use, but these are the big three)<\/p>\n
\n
- Oracle HR and the other Oracle apps reachable via CAP (includes Timecard Approval). Doesn\u2019t support Java 7, so some version of Java 6 is required. Appears to work well under the most recent version of this line (6u38).<\/li>\n
- RamCT Blackboard. Several features (including chat and file uploads) require Java. Has been tested to work well under both Java 6 and Java 7. RamCT Blackboard doesn\u2019t work well if more than one version of Java is installed, so if one computer does both Blackboard and Timecard Approval, then Java 6u38 should be used.<\/li>\n
- Junos Pulse VPN (aka Juniper SSL gateway, secure.colostate.edu). For Windows and IE, Java is not a requirement, as all advanced functions can be performed with ActiveX controls (though with no Java at all, there will be a few error messages to click through when initially installing some of the controls). For other combinations (Windows + Firefox, Windows + Chrome, and all combinations on Mac and Linux), Java is required to do more than the basic HTML redirect\u2026 so RDP, SSH, Network Connect, Secure Meeting (now Pulse Collaboration), and Secure Application Manager\u2026 these all require Java of some sort. Getting them to work under Java 6 can be problematic, so heavy users will probably want to use the latest version of Java 7.<\/li>\n<\/ul>\n
So here are the possible stances:<\/p>\n
1)\u00a0\u00a0\u00a0\u00a0\u00a0 I don\u2019t use any of those applications; I\u2019ll just remove Java from my system. Safe from harm, though other sites may stop working correctly.<\/p>\n
2)\u00a0\u00a0\u00a0\u00a0\u00a0 I just use RamCT Blackboard: Java 7u11 with auto-update enabled OR Java 6u38 with auto-update disabled (either should work).<\/p>\n
3)\u00a0\u00a0\u00a0\u00a0\u00a0 I just use central administrative apps: Java 6u38 with auto-update disabled.<\/p>\n
4)\u00a0\u00a0\u00a0\u00a0\u00a0 I use both RamCT Blackboard AND central administrative apps: Java 6u38 with auto-update disabled.<\/p>\n
5)\u00a0\u00a0\u00a0\u00a0\u00a0 I don\u2019t use Blackboard\/CAP, but use the SSL gateway on Windows with IE: may be able to get by without any Java at all.<\/p>\n
6)\u00a0\u00a0\u00a0\u00a0\u00a0 I use the SSL gateway with some other combination of OS\/browser: should probably have Java 7u11.<\/p>\n
One important note, no matter which you choose: many applications (including both Blackboard and the SSL gateway) get cranky if there\u2019s more than one version of Java installed, so it can\u2019t be as simple as just installing both versions. Alas\u2026<\/p>\n
Of course, we\u2019ll keep an eye on what Oracle does with Java, both from a security point of view and for its ability to interface with our central administrative applications. If we find a simple fix, you\u2019ll be the first to know about it!”<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
Most of us are aware of this by now, but I received the following, very well written explanation of the problem and steps to take at this point.\u00a0 As before, when I get these, and feel they should be given a wider audience, I will repost for the CNSIT community. “As everyone is probably painfully […]<\/p>\n","protected":false},"author":2,"featured_media":1104,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,10,11],"tags":[],"class_list":["post-1103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-networking","category-security","category-security-news"],"_links":{"self":[{"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/posts\/1103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/comments?post=1103"}],"version-history":[{"count":1,"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/posts\/1103\/revisions"}],"predecessor-version":[{"id":4215,"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/posts\/1103\/revisions\/4215"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/media\/1104"}],"wp:attachment":[{"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/media?parent=1103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/categories?post=1103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cnsit.colostate.edu\/kb\/wp-json\/wp\/v2\/tags?post=1103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}