Solved

Java Zero-Day Exploit

Posted on 2013-01-14
7
841 Views
Last Modified: 2013-01-14
Java 7 Update 10 has been in the news recently - see here - http://tinyurl.com/cbnuel4 

My company has a webiste where some of the server side code is JSP. Should we be concerned? We recently upgraded the SDK to 1.7 and are using Apache 2.0 with Tomcat 6.0.35

If there is an issue what should we do about it?

Thanks!
0
Comment
Question by:Justin Moore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 38775999
This issue lies on the JVM on the client side.  Hackers are using other exploits to compromise those webservers and are running malicious java script.  Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.

read this:
http://xianshield.org/guides/apache2.0guide.html
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38776044
And Oracle has supplied an update that is supposed to fix the client problem as of Sunday night.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38776135
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38776175
I did notice the original file date on the update was last October.  Don't know if that was correct or just a mistake in the rush to provide a 'fix'.
0
 
LVL 8

Author Comment

by:Justin Moore
ID: 38776235
Choward - I don't understand what you mean by this statement. Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.
0
 
LVL 16

Accepted Solution

by:
choward16980 earned 250 total points
ID: 38776413
Yes.  The specific java vulnerability has nothing to do with a web server.  Simply a user, an internet browser and java are all that is needed.  I'm saying, if  a user logged into your web server and launched internet explorer with java enabled, then they're vulnerable to the exploit from an infected website.  (granted it's just sitting on the DMZ with no firewall)

Hackers are using all different kinds of techniques (ie, sql injection, brute force, fuzzing...  not really the java exploit) to infect server web pages with this form of malware so when joe shmoe gets redirected to the website, their computer runs the hackers code via a java exploit.  Your webserver isn't vulnerable to the java exploit, but it could be vulnerable to an experienced hacker who wants to use your server a malware jump point.
0
 
LVL 8

Author Closing Comment

by:Justin Moore
ID: 38776612
Perfect - thanks for explaining.
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question