Java exploit, the inevitable question
Steve Riley
steve at rileyz.net
Wed Jan 16 06:45:54 UTC 2013
On 2013-01-15 21:32:06 Gene Heskett <gheskett at wdtv.com> wrote:
>
> All in all, I failed to see anything in the above links that would
> indicate this version:
>
> gene at coyote:/etc/alternatives$ java -version
> java version "1.6.0_24"
> OpenJDK Runtime Environment (IcedTea6 1.11.5)
> (6b24-1.11.5-0ubuntu1~10.04.2)
> OpenJDK Server VM (build 20.0-b12, mixed mode)
>
> is affected. But I expect we should be suitably cautious regardless.
> I'll start by making all varieties of java, including beans, "always
> ask" so I can at least get an idea of what web sites are trying to use
> java.
There is not universal agreement that the vulnerability is contained only
to Java 7.
http://krebsonsecurity.com/tag/cve-2013-0422/
"Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of
this bug at the National Vulnerability Database (NVD), for example, states
that the vulnerability is present in Java versions going back several
years, including version 4 and 5. Analysts at vulnerability research firm
Immunity say the bug could impact Java 6 and possibly earlier versions. But
Will Dormann, a security expert who’s been examining this flaw closely for
CERT, said the NVD’s advisory is incorrect: CERT maintains that this
vulnerability stems from a component that Oracle introduced with Java 7.
Dormann points to a detailed technical analysis of the Java flaw by Adam
Gowdiak of Security Explorations, a security research team that has alerted
Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle
tried to fix this particular flaw in a previous update but failed to address
it completely."
...Steve
More information about the kubuntu-users
mailing list