Tuesday, November 12, 2013

Java Security Announcement

As you may know, the free edition of Oracle JDK 1.6 is no longer supported, and no patches are being released for it, even for known security vulnerabilities.  Further, the download page clearly states, "Oracle no longer posts updates of Java SE 6 to its public download sites.  All Java 6 releases ... have been moved to the Java Archive....Oracle recommends that users migrate to Java 7 in order to continue receiving public updates and security enhancements."

Consequently, many Java 6 exploits are publicly available and have been reported as being actively exploited in news media; for example:

http://www.informationweek.com/security/vulnerabilities/hackers-target-java-6-with-security-expl/240160443

http://arstechnica.com/security/2013/09/security-of-java-takes-a-dangerous-turn-for-the-worse-experts-say/

Therefore, we strongly recommend that all OSG sites upgrade from Java 6 to Java 7 as soon as possible.

We are aware of issues with the latest OpenJDK 1.7.0_45 release and BeStMan which will be addressed in a follow-up email very soon. 

Recently, the OSG Technology area completed a thorough review, updates, and many tests to ensure that OSG software works with OpenJDK 1.7. The Java 7 migration project was released to production in the OSG 3.1.23 release on 10 September 2013.  Hence, when updating Java to 1.7, we urge sites to update their OSG software, too, if older than 3.1.23.

For more information, see:

https://twiki.opensciencegrid.org/bin/view/Documentation/Release3/Java6Migration

https://twiki.opensciencegrid.org/bin/view/Documentation/Release3/InstallSoftwareWithOpenJDK7

Need help? Let us know:

https://www.opensciencegrid.org/bin/view/Documentation/Release3/HelpProcedure

Please submit problems, requests, and questions at:
https://ticket.grid.iu.edu/goc