Blog

Managed File Transfer and Network Solutions

Java Security Update

Posted by Anthony Bryan on Thu, Feb 10, 2011 @ 12:09 PM

Recently, Oracle Security Alert for CVE-2010-4476 was released to fix a Denial of Service issue with the Java Runtime Environment.

According to Oracle, "Java based application and web servers are especially at risk from this vulnerability."

This includes all JSCAPE Servers. Relevant information for installation:

Shut Down JRE Instances Prior to Update
Prior to running the FPUpdater tool, you should stop all the software running on the JRE instance. Cached instances of the files to be updated may exist in running JRE software processes if you do not shut down the JRE software before running the FPUpdater tool. Restart the JRE software and/or associated applications after the FPUpdater tool has completed its work.

For instance, this means you will want to stop the JSCAPE MFT Server process before installation, then restart it afterwards.

Oracle says desktop systems could be minimally affected.

A post on the Oracle blog expounds on this:

While only recently publicly disclosed, a number of Internet sites have since then reproduced details about this vulnerability, including exploit codes, which may result in allowing a malicious attacker to create a denial of service condition against the targeted system. Oracle therefore strongly recommends that affected organizations apply this fix as soon as possible. The Security Alert Advisory provides information on how to apply this fix and where to download it. In addition, note that the fix for this vulnerability will also be included in the upcoming Java Critical Patch Update (Java SE and Java for Business Critical Patch Update - February 2011), which will be released on February 15th 2011.

Note that the impact of this vulnerability on desktops is minimal: the affected applications or applets running in Internet browsers for example, might stop responding and may need to be restarted; however the desktop itself will not be compromised (i.e. no compromise at the desktop OS level). Oracle therefore recommends that consumers use the Java auto-update mechanism to get this fix. This will prompt them to install the latest version of the Java Runtime Environment 6 update 24 or higher (JRE), which includes the fix for this vulnerability. JRE 6 update 24 will also be distributed with the Java SE and Java for Business Critical Patch Update - February 2011.

 

Download the fix: Java SE Floating Point Updater Tool

Read the README before installation: 

FPUpdater Tool README

 

References:

Oracle Security Alert for CVE-2010-4476

Oracle Blog: Security Alert For CVE-2010-4476 Released

Java SE Floating Point Updater Tool

FPUpdater Tool README

Topics: JSCAPE MFT Server, Managed File Transfer, Security