• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • New Java Vulnerabilities No Threat To IBM i

    January 23, 2013 Alex Woodie

    The Java vulnerabilities that hackers have been exploiting on computers around the world do not exist on the implementation of Java that IBM runs on its IBM i platform, IBM officials confirmed last week.

    “IBM has confirmed that the IBM Java Software Development Kit (SDK) and IBM Java Runtime Environment (JRE) are not vulnerable to this reported exploit,” spokesperson Kristin Bryson, of IBM’s Systems and Technology Group, told IT Jungle via email. “The IBM version of Java (which is used on IBM i) has been tested for this issue and it is not in the IBM version of Java.”

    The Java vulnerabilities took the IT security world by storm after hackers began exploiting the flaws before Oracle could issue a patch. The ready availability of exploit kits and the slow response from Oracle led the federal government to recommend that computer users protect themselves by removing Java from their systems. The new security flaws in Java are isolated to the Web browser and don’t impact server implementations of Java, IBM said.

    It all started on January 10, when CERT issued a security alert warning about a zero-day vulnerability (CVE-2013-0422) in version 7 update 10 of the Java Development Kit (JDK) that was being actively exploited. The vulnerability, which actually involved multiple vulnerabilities, resulted in hackers being able to run arbitrary code on affected systems.

    On January 13, Oracle responded to the so-called “Security Manager Bypass Vulnerability” with JDK version 7 update 11. The software giant encouraged users to apply the update to their JREs “as soon as possible” to avoid falling victim to the flaw, which requires users to visit a maliciously crafted website.

    In addition to addressing CVE-2013_0422, Oracle also addressed another critical Java vulnerability called CVE-2012-3174 that allows hackers to take full control of victims’ computers. The details of this second vulnerability have not been disclosed, according to CERT, but it carries the same severity level–10.0 on a scale of 1 to 10. Oracle says in its security alert for CVE-2013-0422 that it also fixes CVE-2012-3174.

    Although the underlying flaw exists in the JDK, it appears that Oracle’s Java implementation–its Java Runtime Environment (JRE) version 1.7–is the one mainly affected by these vulnerabilities. Oracle’s JRE has been ported to multiple systems, including Windows, OS/X, and Linux systems. Oracle’s JRE is arguably the world’s most popular Java environment. But dozens of other software vendors, including IBM, Hewlett-Packard, SAP, and Microsoft, also develop JVMs (Microsoft discontinued its JVM in 2011).

    IBM stopped using Sun Microsystems’ tools to develop its Java Virtual Machine (JVM) and JREs (a JRE is composed of a JVM and Java class libraries) with the launch of IBM i 7.1 in 2010. That was the year that IBM stopped supporting the “classic” 64-bit JVM for i5/OS that was originally developed with Sun’s tools. Taking place of the classic 64-bit JVM were two other “J9” JVMs (one 32 bit and one 64 bit) that IBM wrote using its own IBM Technology for Java (IT4J) tooling. These JVMs support JDK version 1.7 and earlier, and are used, basically unchanged, across IBM’s complete line of IBM i, AIX, Linux, and Windows servers.

    This article was corrected. IBM did not recently issue a patch for a Java vulnerability, CVE-2010-4476. It actually patched that flaw when it was discovered in February 2011. IT Jungle regrets the error.



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Fresche Solutions

    ON-DEMAND SESSION

    Protecting Your IBM i Systems from Ransomware and Other Cyber Threats

    Zero-day attacks and ransomware threats are on the rise and data that resides on IBM i is not immune. Now is the time to learn how to defend it.

    Join Marcel Sarrasin, CPO, Fresche and Pauline Brazil Ayala, VP of Operations, Trinity Guard as they introduce you to TGSuite, the next generation of IBM i security tools and dive into IFS and network security to help you learn how to configure the defenses on your system and guard your valuable data.

    In the session, Pauline and Marcel will discuss:

    • What a secure system looks like in 2022
    • Cybersecurity and auditing, data-level reporting and job activity monitoring
    • Advanced exit point security – knowing and managing who has access to your IBM i
    • Setting up alerts on critical security events as they happen
    • Managing all your LPARs from one centralized web console

    Watch Now!

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Mainline Buys BI Services Firm Coming Soon: Entry And Midrange Power7+ Servers

    Leave a Reply Cancel reply

Volume 23, Number 3 -- January 21, 2013
THIS ISSUE SPONSORED BY:

Infinite Corporation
Bug Busters Software Engineering
Linoma Software
HiT Software
RJS Software Systems

Table of Contents

  • New Java Vulnerabilities No Threat To IBM i
  • IBM Taps Ingram Micro, Tech Data To Peddle Power Systems, Storage
  • Steve Will Keeps His i On The Prize
  • Mad Dog 21/21: Google Evildoers Filched Funds From My Wallet
  • IBM Doubles Up Rebates On Power Systems Trade-In Deal
  • IBM: I Have Seen the Future And It Works
  • IBM Europe Gives Rebates To Power Resellers Who Push ISV Wares
  • Data Skills Crashes Dice Top Five Hiring Demands
  • SAP Profits From HANA Appliance, Cloud, And Plain Old Software
  • Steampunk Will Be The Next Big Rage, So Saith IBM

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Guild Mortgage Takes The 20-Year Option For Modernization
  • IBM i Licensing, Part 3: Can The Hardware Bundle Be Cheaper Than A Smartphone?
  • Guru: The Finer Points of Exit Points
  • Big Blue Tweaks IBM i Pricing Ahead Of Subscription Model
  • We Still Want IBM i On The Impending Power E1050
  • DRV Brings More Automation to IBM i Message Monitoring
  • Managed Cloud Saves Money By Cutting System And People Overprovisioning
  • Multiple Security Vulnerabilities Patched on IBM i
  • Four Hundred Monitor, June 22
  • IBM i PTF Guide, Volume 24, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.