NIAGARA TECH TIP RELEASED REGARDING JAVA 7 SECURITY ISSUE
It is STRONGLY recommended customers download and install Java 7 Update 11
PROBLEM:
On Monday, January 14, Oracle issued a Security Alert for CE-2013-0422. This is a response to a US-CERT Alert reporting a vulnerability that affects Java running in web browsers. Details about the Security Alert can be found at this link:
http://oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Oracle has issued Java 7 Update 11 to address this vulnerability. Lynxspring strongly recommends customers using Java 7 Update 10 or earlier download and install the patch immediately. This patch can be downloaded from Oracle at this link:
http://oracle.com/technetwork/java/downloads/index.html
This security alert only affects customers who are using Java 7, including Java Platform Standard Edition 7 (Java SE 7), Java SE Development Kit (JDK 7), and Java SE Runtime Environment (JRE 7), in all versions through Java 7 Update 1.0. The affected Java VM is not included in any products currently offered by Lynxspring or Tridium.
Tridium’s Response:
Tridium has issued a Tech Tip on Niagara Central that includes this information:
http://www.niagara-central.com/ord?portal%3A%2Fdev%2Fwiki%2FOracle_Security_Alert_CE-2013-0422_%2528Java_7%2529
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SOLUTION:
Do I need to disable Java?
While using Java to access Niagara systems is safe, accessing unknown, untrusted web sites may create risk. If Java is disabled, Niagara’s hx profiles provide a non-Java, but less featured alternative to the Java-based browser interface. Tridium recommends that customers evaluate the risk of enabling Java based on how the affected PC is used. In any case, Tridium recommends that customers download and install Java 7 Update 11. The patch can be found at this link:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Does this affect Niagara?
No, Niagara is not directly affected by this vulnerability. Niagara is indirectly affected when customers use Java in a web browser.
But I thought Niagara used Java?
There are no Niagara products which use the affected Java VM. However, when connecting to Niagara in a browser, Niagara does use the browser Java VM that is already installed on a client PC. That Java VM is typically installed on a PC in the factory by the manufacturer or installed and managed by the IT department responsible for the PC.
What does the update do?
Java 7 Update 11 repairs the vulnerability but also increases Java's security setting to "High" by default. With a High security setting, users will be warned prior to any unsigned applications running in order to prevent silent exploitation.
Additional Resources:
Initial Alert from US-CERT
Vulnerability Note
Oracle Security Alert
Java SE Downloads
Importante mise a jour JAVA 7 NIAGARA TECH TIP RELEASED REGARDING JAVA 7 SECURITY ISSUE Print
Modified on: Wed, 14 Jan, 2015 at 8:20 AM
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.