Where to find vulnerability information by java version

rwskas
rwskas used Ask the Experts™
on
We are currently utilizing an extremely outdated java version to support business functions (1.5.0_16). Where can I go to find out how MANY, and how CRITICAL the vulnerabilities are that would effect this version? I need to build a case against this for the business to push getting our java updated
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
well simplest ones are
-- latest versions of app servers like jboss, tomcat etc work with jre6
-- latest version have the fixes for bugs in current version

You can also build your case on the features
http://java.sun.com/javase/6/features.jsp

i found the integrated Web-service a very big reason to switch to jre6

Author

Commented:
The version we use we are stuck with because certain application require that version. The case I need to build is how insecure this version is, so that I can try and get the app owners to upgrade there app, so we can update java across the board.
What I need to find is how many vulnerabiltiies there are that effect java jre 5 update 16
Do a search on http://secunia.com/advisories/search/

You should be able to narrow it down to your version and show what there is.
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Author

Commented:
Those both had some information, but not quite was I was looking for. Secunia only list them by major versions (1.5x). I was able to get some information from freshmeat, but what I could not get from that site is if any updates to java 1.6x patch vulnerabilities in java 1.5x
The freshmeat site also uses a lot of verbage like "Several security issues were resolved." and ideally, I would like to someone list them out.
TolomirAdministrator
Top Expert 2005
Commented:
Well I suggest you use the latest java 1.5.0_22 version instead.

Please check these release notes:

http://www.oracle.com/technetwork/java/javase/releasenotes-142123.html

It will tell you about all bugs and fixes in the 1.5.x version tree.

Tolomir
TolomirAdministrator
Top Expert 2005

Commented:
Example of security alerts:

Impact: The Java Runtime Environment creates temporary files with insufficiently  random names. This may be leveraged to write JAR files which may then  be loaded as untrusted applets and Java Web Start applications to access  and provide services from localhost and hence steal cookies.

Impact: Multiple buffer overflow vulnerabilities in the Java Runtime Environment (JRE) image processing code (CR 6726779), its handling of GIF images (CR 6766136) as well as its font processing (CRs 6733336 and 6751322) may allow an untrusted applet or Java Web Start application to elevate its privileges. For example, an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Impact: A buffer overflow vulnerability in the Java Runtime Environment (JRE) may allow an untrusted Java application that is launched through the command line to escalate privileges. For example, the untrusted Java application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted Java application. http://www.ximido.de/research/advisories/SM_Java-BO_200811.txt

Tolomir

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial