Login   |   Secure Purdue > News

Advisory: Java Critical Update

STEAM-ADVISORY NO. 201407171201
PURDUE UNIVERSITY SECURITY STEAM-CIRT
Thursday, July 17th, 2014 12:25pm


==OVERVIEW==
Oracle released the Critical Patch Update for July 2014 to address many
vulnerabilities in a large number of its products. Java SE was updated
to correct twenty (20) security vulnerabilities. ITSP recommends that
you apply this Java update as soon as possible.


==SYSTEMS AFFECTED==
All systems that have Java SE installed are impacted. This includes most
desktops and laptops on the Purdue network. Only the versions of Java SE
released on July 15th, 2014 have the known security vulnerabilities
corrected. All other versions are considered vulnerable and unsafe to use.


==DETAILS==
On July 15, 2014 Oracle released its monthly critical patch update for
many of its products. This release included twenty (20) corrected
security vulnerabilities for Java SE. All twenty are remotely
exploitable without authentication. This means that a Java applet from
any website can compromise the security of a computer. Eight (8) of the
vulnerabilities have Common Vulnerability Scoring Standard (CVSS) score
at or above 9.3 (out of 10). The high scores indicate that several of
the vulnerabilities can be exploited and allow attackers to completely
compromise the system.

These security issues are significant and easily exploited by attackers.


==SOLUTIONS==
Oracle has corrected the issues and released new versions of Java SE for
immediate deployment and installation. The following versions have the
security vulnerabilities corrected:

Java SE 8u11 (version 8, update 11)
Java SE 7u65 (version 7, update 65)

For system administrators, ITSP recommends that you quickly test and
deploy the corrected versions of Java as soon as possible. For Purdue
ePO-managed systems, some additional protection may be provided by
McAfee SiteAdvisor. This protection is limited to blocking access to
known malicious web sites that may harbor Java exploits. SiteAdvisor
should not be considered a complete solution though.

For self-supported users, update your Java version by downloading the
latest Java SE installation package from the Oracle Java website (see
below).

If you do not need to run Java applets through your web browser, you can
use the Java Control Panel to uncheck the "Enable Java content in the
browser" option in the Security tab. This will limit exposure to
web-based Java exploits.


==FURTHER INFORMATION AND RESOURCES==
oracle .com /technetwork/topics/security/cpujul2014-1972956.html
oracle .com /technetwork/java/javase/downloads/index.html
(copy/paste and remove the spaces)


==STEAM-CIRT CONTACT INFORMATION==
For questions concerning this advisory, please send email to:
itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
purdue .edu /securePurdue/incidentReportForm.cfm
purdue .edu /securepurdue/steam
(copy/paste and remove the spaces)

Posted by ITSP on July 17, 2014, in Advisory Alerts.