Blog: Java

The Technology and Security groups at CoNetrix have received several questions from customers about the announcement from Oracle to move to a paid subscription model for commercial users. This issue has been very confusing for everyone as we try to decipher what this means with the various versions and editions of Java available today. In this article, we will attempt to clear up some of the confusion and provide recommendations going forward.

Java Standard Edition (SE) is the most common installation of Java today. Java SE consists of the Java Development Toolkit (JDK) and the Java Runtime Environment (JRE). Unless you are a developer, the JRE is the most important component because it's what allows you to run Java-enabled applications. Many users will have a version of JRE installed on their PC to support an application they use every day. Until recently Oracle Java SE has been free to download and install for everyone.

However starting in January 2019, commercial customers must have a paid subscription license for Java SE in order to receive updates. Historically Java has not had the best track record on security, so installing Java updates at least monthly is critical to ensure any newly discovered security vulnerabilities are fixed.

Does this mean you have to purchase Oracle Java subscription licensing to install updates? The answer is "It depends!"

Thankfully there are some open-source alternatives to the licensed Java SE. The most common are:

  • AdoptOpenJDK is an open-source distribution of the OpenJDK project which is jointly supported by Oracle and the Java community.
  • Corretto is another distribution of the OpenJDK that is supported by Amazon.

Both of these distributions provide support back to Java version 8, which can be important for some applications that require this older version. Both are also supported by CoNetrix Technology for our Network Advantage patch management customers.

The following are our recommendations for installing and supporting Java:

  • Verify you actually need to run Java. It's common for Java to get installed at some point but not removed when it's no longer needed.
  • Test one of the open-source Java options and see if your applications continue to work. If the testing is successful you should be good to remove Oracle Java.
  • Check with your application vendors who use Java to determine if they will support one of the open-source options. If they won't provide support, or they confirm their application doesn't work, then you may have to purchase a Java SE license for every system where these applications are used.
  • If an application requires Oracle Java, check with your vendor to see if they can bundle Java SE with their application. This could be more cost-effective than purchasing it separately.
  • If you deploy one of the open-source options, verify updates for this distribution are included in your patch management solution. Additionally, if your systems are scanned regularly for audits and exams make sure the scanning solution will recognize the open-source installation.

Please contact Customer Support at 806-698-9600 or email support@conetrix.com if you have any questions about management of Java and how CoNetrix can assist.


 
 

Have you ever inadvertantly installed a toolbar or other adware during a Java update? There's a setting to stop this behavior. Open the Java Control Panel and select the Advanced tab. Then select "Suppress sponsor offers when installing or updating Java" at the bottom of the window.


 

Due to a recent audit finding, one of our customers requested that only TLS 1.2 be allowed and the cipher security level set to “high” (AES256-SHA256 DHE-RSA-ASE256-SHA256) on their Cisco ASA firewall. The AES256-SHA256 security ciphers are not proposed by Java 8 natively. In order to add the security ciphers, you must perform the steps below.

Directions to setup Java Cryptography Encryption (JCE) Unlimited Strength Jurisdiction Policy:

 

  • On your PC, browse to C:\Program Files (x86)\Java\jre1.8.XXX\lib\security
  • Rename files
    • Rename local_policy.jar to local_policy.jar.OLD
    • Rename US_export_policy.jar to US_export_policy.jar.OLD
  • Go to http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html for the following files:
    • Copy local_policy.jar to C:\Program Files (x86)\Java\jre1.8.XXX\lib\security
    • Copy US_export_policy.jar from to C:\Program Files (x86)\Java\jre1.8.XXX\lib\securit
  • Launch ASDM again and the ASA will negotiate to the DHE-RSA-AES256-SHA256 security cipher

 


 

All versions of Java 8 update 20 and newer have removed the Medium Security Level. The only options now are High and Very High. Adding a site to the exception list will still allow unsigned applications to run. See the following webpage for more information: http://java.com/en/download/help/jcp_security.xml.
 
The exception file entries and the prompts associated with them are stored in these files under "%USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment":
deployment.properties
exception.sites
trusted.certs
 
If the same sites need to be added to a large number of computers or thin clients across an organization, you can use Group Policy to copy these into the user’s profile at logon.


 

Few apps are as widely installed as an underlying operating system and thus, until fairly recently, the OS is where crooks have directed most of their attacks. However, the criminals are now aiming a large percentage of their attacks at ubiquitous apps like Adobe Reader and Java. In an astonishing turn of events, the security firm, Kaspersky, recently reported “in the last quarter, 56 per cent of all attacks on systems in its security network sought to exploit unpatched Java flaws as an entry point for malware attacks”. The report went on to state that Adobe Acrobat Reader was the second most targeted app (with 25% of reported attacks) and Microsoft Windows was a distant third, with only 4% of reported attacks.

Why Java, in particular? Oracle’s Java page reports there are 1.1 BILLION desktops running Java, almost 1 BILLION downloads each year, 3 BILLION mobile phones running Java and 3 times more Java phones shipped annually than iOS and Android phones combined. That’s a ton of potential targets for a crook’s exploit to wreak havoc. And, financial institutions, companies and individuals generally have much less of a handle on keeping Java and Adobe apps patched than they do on patching the Windows OS.

Why all this background info, much of which you probably already know?

Oracle just announced it will stop patching Java 6 after February 19, 2013. Oracle has been issuing patches for both Java 6 and the current version, Java 7, for some time. As a result, many individuals and enterprises have resisted the move to Java 7. The good news is Oracle says the next Java patch, after February 19th, will be released on June 18, 2013. However, Oracle cannot possibly guarantee it will not issue any patches during those 4 months because currently undiscovered vulnerabilities might need to be patched during that period.

“Java 6's support death presents special problems for Mac users. While Java 7 runs on all current editions of Windows, including the 11-year-old Windows XP, it requires OS X 10.7, aka Lion, or its successor, Mountain Lion, on Macs,” reports Gregg Keizer with Computerworld.

Well, best to start investigating potential compatibility issues with Java 7 sooner than later. Because in 60 days, Java 6 will reach its end-of-support.

http://goo.gl/H3XyC
http://goo.gl/MuhHf


 

We had problems getting to the Internet on one customer’s terminal server after removing Java 5 and installing Java 6.33.  All other terminal servers were working normally except for this one.  It appeared that the WPAD.dat file was not being utilized and all Internet traffic was trying to go out directly.
 
My suspicion was that this had something to do with Java, so I tried uninstalling and reinstalling Java.  This still did not fix the internet issue. [more]
 
I used procmon utility on a working system to review all of the file open/close functions that happen when IE tries to launch a website.   What I found in the process log was that on a working server, I would see the WPAD.dat file being opened and closed, then jsproxy.dll, and then later on jscript.dll.  On the server with the problem, I never saw jscript.dll being opened.
 
I used the command “regsvr32 c:\windows\system32\jscript.dll” to re-register the DLL, and Internet started working!

 

Level Platforms has partnered with a company called Ninite to provide prebuilt installers for many non-Microsoft utilities and applications.  These include Java, Adobe Reader, and Adobe Flash.  With the new scripting features in Level Platforms MW2011 we should be able use the packages provided by Ninite to centrally manage updates to these applications.  If you want to try Ninite, they provide free installers packages that are completely functional, but with some restrictions for enterprise automation.

https://ninite.com/help/how-ninite-works/


 

On Windows Server 2008, I was trying to get Java installed, but Internet Explorer kept saying that I was unable to download the file because of my security settings.  My options for changing the security zone settings were grayed out, and adding the Java website to my trusted sites did not work.  I investigated whether group policies were blocking my ability to edit the zone settings, but it turned out that there were no IE-related group policies.  It turned out that I had to run IE as an administrator (right-click and select “run as administrator”) to get access to the zone settings.


 

We were trying to update Symantec Mail Security (SMS) for SMTP from v4.0 to v4.1 and the upgrade routine seemed to hang during the ‘Java Liveupdate’ portion.  Server hard-drive activity was heavy at that point and Task Mgr showed the upgrade ‘running’, but we did not seem to be making progress.  We installed a Java-runtime update and found a Symantec Java-liveupdate hotfix, but we ran out of time and had to leave the server @ v4.0  We went back on site Monday ready to uninstall Java Liveupdate, but the add/remove routine behaved similarly – heavy drive paging and the routine showed running, but no progress was occurring (waited 15 minutes).  I found a symantec procedure to manually remove Java Liveupdate and was going thru that, deleting folders, when I came upon ‘C:\Documents and Settings\All Users\Application Data\Symantec\Java Liveupdate’  Before deleting it, I looked inside – it had 1 folder called ‘downloads’, which contained approx 21,000 pattern update folders going back to 2004.  I deleted all these subfolders, which took about 25 minutes.  After that completed, I re-ran the v4.1 upgrade, which ran thru with no problems.  Whether it was the upgrade routine or Jave Liveupdate uninstall, the server was obviously trying to process all these subfolders and choking on them (might have eventually completed if given long enough).  So, when working with Java Liveupdate, it is probably a good idea to look for this downloads folder first and clear it out.