Solved

Java Zero-Day Exploit

Posted on 2013-01-14
7
837 Views
Last Modified: 2013-01-14
Java 7 Update 10 has been in the news recently - see here - http://tinyurl.com/cbnuel4 

My company has a webiste where some of the server side code is JSP. Should we be concerned? We recently upgraded the SDK to 1.7 and are using Apache 2.0 with Tomcat 6.0.35

If there is an issue what should we do about it?

Thanks!
0
Comment
Question by:jmac44
  • 3
  • 2
  • 2
7 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 38775999
This issue lies on the JVM on the client side.  Hackers are using other exploits to compromise those webservers and are running malicious java script.  Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.

read this:
http://xianshield.org/guides/apache2.0guide.html
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38776044
And Oracle has supplied an update that is supposed to fix the client problem as of Sunday night.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38776135
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38776175
I did notice the original file date on the update was last October.  Don't know if that was correct or just a mistake in the rush to provide a 'fix'.
0
 
LVL 6

Author Comment

by:jmac44
ID: 38776235
Choward - I don't understand what you mean by this statement. Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.
0
 
LVL 16

Accepted Solution

by:
choward16980 earned 250 total points
ID: 38776413
Yes.  The specific java vulnerability has nothing to do with a web server.  Simply a user, an internet browser and java are all that is needed.  I'm saying, if  a user logged into your web server and launched internet explorer with java enabled, then they're vulnerable to the exploit from an infected website.  (granted it's just sitting on the DMZ with no firewall)

Hackers are using all different kinds of techniques (ie, sql injection, brute force, fuzzing...  not really the java exploit) to infect server web pages with this form of malware so when joe shmoe gets redirected to the website, their computer runs the hackers code via a java exploit.  Your webserver isn't vulnerable to the java exploit, but it could be vulnerable to an experienced hacker who wants to use your server a malware jump point.
0
 
LVL 6

Author Closing Comment

by:jmac44
ID: 38776612
Perfect - thanks for explaining.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now