New Java vulnerabilities remotely executable without login
It is extremely important that enterprises urgently patch their Java Runtime Environments (JREs) and (Java Development Kits) JDKs since 14 vulnerabilities addressed in this security update are remotely exploitable over a network without authentication — which are the most serious kind of threats.
This means that a remote attacker can exploit these vulnerabilities without a username or password to gain access or control of a target application. Applications running on any of JRE/JDK versions 5, 6, 7, and 8 which do not apply this patch are at risk of a dozen severe remotely-exploitable vulnerabilities which could result in the complete compromise of sensitive application data.
For Java 7-based applications, this is the last security update that will be publicly available — the proverbial “end of the road” for Java 7 application security. After today, the only version of the Java Platform which will receive public security updates is Java 8. This is huge news, and it is going to cause enormous headache and disruption to millions of application owners around the world.
Applications running on any of the prior vulnerable versions of Java – and there are millions of them – have two options today: either commence a full upgrade, retest, and redeploy lifecycle onto the latest Java SE 8 update, or install any of the new Java Container RASP (Runtime Application Self-Protection) technologies that will quarantine and protect the Java Platform and the entire application stack automatically.
Oracle’s rapid end of life schedule for Java versions is great for innovation and language evolution. However, there is a dangerous tradeoff, now millions of Java 7 applications will have to defend themselves against code level vulnerabilities without the benefit of future fixes.
Author: John Matthew, CTO at Waratek