Java Security Alert January 2013

Executive Summary

Last week, a critical java security vulnerability was announced, and this high-profile security flaw has been widely covered by the media. We want to assure our customers that this vulnerability does not affect your Eclipse software.

Even though Eclipse uses Java technology extensively in both our Solar client and our JBoss application server, this vulnerability does not apply to standalone desktop java applications or servers.

While this security vulnerability does not impact your Eclipse software, we urge you to follow Oracle’s recommendations for securing any workstations that may be running the affected versions of their Java runtime environment.

FAQ

What action do I need to take to secure my workstations that run Solar?

If you have installed JRE 7, the version of Java bundled with Solar in Eclipse 8.7.4.09 or later, you should immediately update Java (Control Panel -> Java -> Update tab -> Update Now).

If you have installed JRE 6, the version of Java bundled with Solar in Eclipse 8.7.4.08 or earlier, no action is necessary.

What action do I need to take to secure my Eclipse server?

No action is necessary. Eclipse does not use JRE 7 on the application server.

What is the danger of this vulnerability?

Here is a summary of the Java security alert, taken from US-CERT Alert (TA13-010A):

A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.

The impact of this vulnerability is also described in Oracle Security Alert for CVE-2013-0422:

These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.

To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities