Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Java Zero-Day Exploit

Posted on 2013-01-14
7
840 Views
Last Modified: 2013-01-14
Java 7 Update 10 has been in the news recently - see here - http://tinyurl.com/cbnuel4 

My company has a webiste where some of the server side code is JSP. Should we be concerned? We recently upgraded the SDK to 1.7 and are using Apache 2.0 with Tomcat 6.0.35

If there is an issue what should we do about it?

Thanks!
0
Comment
Question by:Justin Moore
  • 3
  • 2
  • 2
7 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 38775999
This issue lies on the JVM on the client side.  Hackers are using other exploits to compromise those webservers and are running malicious java script.  Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.

read this:
http://xianshield.org/guides/apache2.0guide.html
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38776044
And Oracle has supplied an update that is supposed to fix the client problem as of Sunday night.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38776135
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38776175
I did notice the original file date on the update was last October.  Don't know if that was correct or just a mistake in the rush to provide a 'fix'.
0
 
LVL 8

Author Comment

by:Justin Moore
ID: 38776235
Choward - I don't understand what you mean by this statement. Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.
0
 
LVL 16

Accepted Solution

by:
choward16980 earned 250 total points
ID: 38776413
Yes.  The specific java vulnerability has nothing to do with a web server.  Simply a user, an internet browser and java are all that is needed.  I'm saying, if  a user logged into your web server and launched internet explorer with java enabled, then they're vulnerable to the exploit from an infected website.  (granted it's just sitting on the DMZ with no firewall)

Hackers are using all different kinds of techniques (ie, sql injection, brute force, fuzzing...  not really the java exploit) to infect server web pages with this form of malware so when joe shmoe gets redirected to the website, their computer runs the hackers code via a java exploit.  Your webserver isn't vulnerable to the java exploit, but it could be vulnerable to an experienced hacker who wants to use your server a malware jump point.
0
 
LVL 8

Author Closing Comment

by:Justin Moore
ID: 38776612
Perfect - thanks for explaining.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question