Threat Level: green Handler on Duty: Russ McRee

SANS ISC: All I need Java for is .... SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
All I need Java for is ....
Symantec Endpoint Protection Manager Console although they also offer a html version it just doesn't work as well.
Anonymous
Cisco ASA Web based GUI mgmt requires Java.
Anonymous
According to the status page of security-explorations they asked oracle if any assistance is needed to run the exploit code or if third party confirmation is required.

By now Adam Gowdiak (security-explorations) quipped about the situation:
It's simple to run the code he said.
"That's basically a 10 min. job (unless Oracle uninstalled Java from all their systems due to security concerns),”
...HAHA
Anonymous
Dear Bad Guys,

Attached, please find a list of security applications that you should now be targeting with Java-based exploits. Have fun!

Sincerely,
The Internet
wrodina

1 Posts
Tripp Lite UPS management cards
Anonymous
Our piece-of-**** webmail system is implemented as a browser-side Java applet.

Our SSL VPN client is loaded and executed with a web browser.

Our enterprisey internal instant messaging system for intra-project collaboration is implemented as... you guessed it, a browser-side Java applet. XMPP clients are officially deprecated.
No Love.

37 Posts
SSL VPN clients from several vendors do not require Java if using the standalone SSL client, but the web based SSL VPN client connects use Java.

As for Tripp Lite management cards, their very latest firmware requires Java but they also are maintaining their pre-Java firmwares at this time. The Java based ones suck anyway IMO. I reverted mine back.
RichH

9 Posts
I think it’s important to keep in mind the context of the term “Java” when referring to Java. Many vendor consoles are Java-based but free from simply being extensions of the browser. The issues Java has been experiencing lately are tied to the Java Runtime Environment (JRE) which runs within the browser (and elsewhere depending on what you’re doing). Java on the whole isn’t under attack or else nearly all of our mobile devices (amongst so much else) would be under siege right now.

As far as what I use it for in a business context, those things have already been named.

@wrodina: As far as this being some sort of script kiddie hitlist, that’s not necessarily true. The issues of late with the JRE are mostly exploited via diveby attacks/downloads, attacking the victim because the JRE is installed already for having to use these things that we’re listing here, not those things directly.
AHenderson

2 Posts
I think it's important to keep in mind the context of the term "Java" when referring to Java. Many vendor consoles are Java-based but free from simply being extensions of the browser. The issues Java has been experiencing lately are tied to the Java Runtime Environment (JRE) which runs within the browser (and elsewhere depending on what you're doing). Java on the whole isn't under attack or else nearly all of our mobile devices (amongst so much else) would be under siege right now.

As far as what I use it for in a business context, those things have already been named.

@wrodina: As far as this being some sort of script kiddie hitlist, that's not necessarily true. The issues of late with the JRE are mostly exploited via diveby attacks/downloads, attacking the victim because the JRE is installed already for having to use these things that we're listing here, not those things directly.
AHenderson

2 Posts
Startech SV1107IPEXT 1-port IP/KVM uses it for remote console access, but there's also a native Windows client.
Anonymous
I'm surprised that none of you said

" Oh, I only need java for SANS Webinars (Elluminate Live!)"

I mean, if SANS is as hypocritical to start a thread about the risks due ot enabling Java for 'a couple applications' you'd think they'd at least acknowledge the reason (cost, complexity, laziness, technical requirements... what?) they continue to 'require' us to use it to access their webinars.

GeoffB

3 Posts
For all the folks saying "<whatever> doesn't require java if you use IE or ActiveX"... This also assumes the world revolves around Redmond and nobody ever uses anything but a MS OS on the desktop ever. Which isn't the case... Which I'm glad for since my linux users cause far less fall-out from the malware-du-jour effect than the other 2 big desktop platforms do.

Networker (EMC backup product) management console needs java. BTW.

But IMHO all of these are far less important than the ****-ware that requires a specific, old, buggy release of Java and won't run with the newest java 6 or 7 JREs. If an app at least supports a modern patched version of JRE/flash then I can govern who I trust to run java/flash/whatever and who I don't.

I mean, c'mon folks shouldn't we all be running noscript or notscripts or something similar by now? *ANY* browser add-on/plugin/whatever that turns web content into executable content is inherently insecure. You're trusting someone else's server on someone else's network to feed executable to your browser in the (vain) hopes that it will never be allowed to do unintended things or break out of sandboxes, etc. Which is why we should be, by default, not allowing these things to run in our browser unless we've explicitly said we trust that particular site (which is a risky enough proposition as it is).

As for the SANS Webinars requiring Java, I for one applaud whoever decided whatever solution they use work for those of us on linux desktops. I truly detest all the junk out there that just assumes everyone everywhere runs either a mac or windows and to purgatory with anyone else because they don't matter. I especially detest vendors trying to sell me something aimed at linux/unix admins, but demanding I use some lame windows VM to try to attend some webinar. Phooey. Am I curmudgeon for wanting vendors to use standards that (gasp) cross platforms? And as chock full o' security holes as java and flash are, at least they TRY to be cross-platform.
Brent

123 Posts
Posted this on another site some time ago but applies very well here too:
As a platform in your browser I feel that just like Adobe's Flash Oracle's Java has run it's course.

I have several applications that require Java:
APC UPS monitoring software
LSI MegaRAID Storage Manager
Supermicro IPMIView

Obviously I can't live without these programs, and they control and or monitor hardware which costs allot of money. Simply getting rid of Java is not the solution here.

But you know what, I just uninstalled the Java runtime from my machine, and these programs work just fine anyway.
That's because they bundle Java in their installation directories, now that itself is a real security problem. (Do you ever think they care to upgrade the included Java, and how many Java versions are actually installed on my system, but that's for another discussion)

Since I uninstalled Java the attack vector is gone, the browser can no longer use Java and therefore in that view Java is no longer running on my machine.
But my programs that actually depend on Java still runs just fine, so I'm a happy camper
Brent
10 Posts
Some little website called ADP.com & the poorly written games hosted there
CBob

22 Posts
I use Zap and Burp, among other things. Every Java application I use can run in Java 7/ so there is no excuse tio keep up with the latest version (or at least backported fixes, which Oracle doesn't exactly make easy) The same could be written in other languages, but (1) they aren't, and (2) even if they were, similar problems probably exist, they just aren't highlighted yet.
CBob
2 Posts
@Dave: What version of SEPM? My SEPM server has never had java "installed". I see SEPM v12.1 has a JRE folder integrated within it's installation folder.....(their javaw.exe says it is v7u9).....which I suppose presents its own problems if the attacker knows its there and can get to it. But no java is "installed", nor directly available from a web browser.

K-Dee

65 Posts
At home? Nothing at all. Not a single darn thing. And I like it that way.

At work? I have to keep Java 6, update 28 (and no higher) installed for proxy management. I can't even install the latest patches.
Jasey

93 Posts
Used for work:
* Ekahau - Site survey (Wireless sitesurvey and troubleshooting)
* Inmon - sFlowTrend (Network Monitoring tool)

Used for living in denmark:
* NemID - Danish digital signature needed for authentication in online banking and any goverḿent website (its based on java, and you have no alternative if you want to communicate electronical with you bank or goverment. No matter if you are a Linux, Mac or Windows user.
Jakob

2 Posts
PowerSchool, a web-based stdent info system used by TONS of school districts in the US.
Jakob
1 Posts

Sign Up for Free or Log In to start participating in the conversation!