Java Zero-Day Exploit

Java 7 Update 10 has been in the news recently - see here - http://tinyurl.com/cbnuel4 

My company has a webiste where some of the server side code is JSP. Should we be concerned? We recently upgraded the SDK to 1.7 and are using Apache 2.0 with Tomcat 6.0.35

If there is an issue what should we do about it?

Thanks!
LVL 9
jmac44Asked:
Who is Participating?
 
Chris HConnect With a Mentor Infrastructure ManagerCommented:
Yes.  The specific java vulnerability has nothing to do with a web server.  Simply a user, an internet browser and java are all that is needed.  I'm saying, if  a user logged into your web server and launched internet explorer with java enabled, then they're vulnerable to the exploit from an infected website.  (granted it's just sitting on the DMZ with no firewall)

Hackers are using all different kinds of techniques (ie, sql injection, brute force, fuzzing...  not really the java exploit) to infect server web pages with this form of malware so when joe shmoe gets redirected to the website, their computer runs the hackers code via a java exploit.  Your webserver isn't vulnerable to the java exploit, but it could be vulnerable to an experienced hacker who wants to use your server a malware jump point.
0
 
Chris HInfrastructure ManagerCommented:
This issue lies on the JVM on the client side.  Hackers are using other exploits to compromise those webservers and are running malicious java script.  Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.

read this:
http://xianshield.org/guides/apache2.0guide.html
0
 
Dave BaldwinFixer of ProblemsCommented:
And Oracle has supplied an update that is supposed to fix the client problem as of Sunday night.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
Dave BaldwinFixer of ProblemsCommented:
I did notice the original file date on the update was last October.  Don't know if that was correct or just a mistake in the rush to provide a 'fix'.
0
 
jmac44Author Commented:
Choward - I don't understand what you mean by this statement. Your web server is not vulnerable to this exploit unless a user was actually surfing the web with the java update installed.
0
 
jmac44Author Commented:
Perfect - thanks for explaining.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.