Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Java Zero-Day Exploit

Posted on 2013-01-14
7
Medium Priority
?
850 Views
Last Modified: 2013-01-14
Java 7 Update 10 has been in the news recently - see here - http://tinyurl.com/cbnuel4 

My company has a webiste where some of the server side code is JSP. Should we be concerned? We recently upgraded the SDK to 1.7 and are using Apache 2.0 with Tomcat 6.0.35

If there is an issue what should we do about it?

Thanks!
0
Comment
Question by:jmac44
  • 3
  • 2
  • 2
7 Comments
 
LVL 16

Expert Comment

by:Chris H
ID: 38775999
This issue lies on the JVM on the client side.  Hackers are using other exploits to compromise those webservers and are running malicious java script.  Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.

read this:
http://xianshield.org/guides/apache2.0guide.html
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 38776044
And Oracle has supplied an update that is supposed to fix the client problem as of Sunday night.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 38776175
I did notice the original file date on the update was last October.  Don't know if that was correct or just a mistake in the rush to provide a 'fix'.
0
 
LVL 9

Author Comment

by:jmac44
ID: 38776235
Choward - I don't understand what you mean by this statement. Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.
0
 
LVL 16

Accepted Solution

by:
Chris H earned 1000 total points
ID: 38776413
Yes.  The specific java vulnerability has nothing to do with a web server.  Simply a user, an internet browser and java are all that is needed.  I'm saying, if  a user logged into your web server and launched internet explorer with java enabled, then they're vulnerable to the exploit from an infected website.  (granted it's just sitting on the DMZ with no firewall)

Hackers are using all different kinds of techniques (ie, sql injection, brute force, fuzzing...  not really the java exploit) to infect server web pages with this form of malware so when joe shmoe gets redirected to the website, their computer runs the hackers code via a java exploit.  Your webserver isn't vulnerable to the java exploit, but it could be vulnerable to an experienced hacker who wants to use your server a malware jump point.
0
 
LVL 9

Author Closing Comment

by:jmac44
ID: 38776612
Perfect - thanks for explaining.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Integration Management Part 2
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month7 days, 3 hours left to enroll

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question