RSA Admin

Support for Java SE 6 is needed

Discussion created by RSA Admin Employee on Apr 6, 2010
Latest reply on Feb 22, 2011 by RSA Admin

The Java SE 5 branch has reached end of life and is no longer being supported by Sun/Oracle unless you migrate to Java for Business.  I spoke to a rep at Oracle recently and he confirmed that this was the case, and this weekend security updates for Java were released for JDK/JRE 6 (update 19) as well as JDK/JRE 5 (update 23) but in the latter case updates were released ONLY for "Java for Business" family, not the Java Standard Edition (SE) family.

 

Can RSA provide support for the Java SE 6 branch so that the event viewer works through that version of Java?  Any Java SE 6 version after update 13 doesn't work for the enVision event viewer.  This includes the enVision 4.0 SP3 platform.

 

I can confirm without any doubt that vulnerabilities for Java are being exploited on the web through drive-by-downloads just like you have with Adobe Reader and Adobe Flash vulnerabilities.  So not upgrading Java isn't a version, and Java for Business unlike Java SE requires paid support.

 

 

"One of our researchers recently discovered that the Liberty exploit kit included a fairly new [Java] exploit from November 2009 ... http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867"

"Now I’m not saying that [the Liberty exploit kit] is being served up by ad networks, but the stats pages for the exploit kits are certainly saying that" (http://thompson.blog.avg.com/2010/03/fresh-exploit-served-up-with-ads.html)

 

"We have seen an increasing number of sites that contain a new exploit kit."

"Many people don't install Java updates, so it's a perfect attack vector. If you look at control panel statistics, you can see that they are very successful. Java exploit is the most successful exploit." (http://www.malwaredomainlist.com/forums/index.php?topic=3570.0)

 

"I received feedback from some readers who doubted whether anyone ever tried to attack Java flaws. As we can see from the second screenshot above, the Java exploit was the second most successful attack" (http://www.krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/)

 

Java End-Of-Life policy

http://java.sun.com/products/archive/eol.policy.html

Outcomes