Java security questions answered

Most of the products tested (except Windows Server 2012), use Oracle's Java in one form or another, at least for client access and also in some cases within the management interface. With numerous vulnerabilities recently discovered in Java, leading to guidance from Department of Homeland Security and others to disable it entirely, this raised some questions about usability and possibly even security of the devices tested.

We asked each vendor participating in the review to address the impact of Java as it relates to the products supplied to us for testing, together with guidance for users.

[RELATED: Cisco edges F5 in VPN shootout

Microsoft DirectAccess impresses]

-- WatchGuard said that the SSL 560 appliance is not vulnerable to the Oracle Java 7 Security Manager Bypass Vulnerability outlined in US-CERT Alert TA13-010A; however, client systems that utilize the Java-based Access Client feature could be vulnerable if they are running Java 7 Update 10 or lower. The vendor recommends updating to Java 7 Update 11 or later. Clients using Internet Explorer can disable Java and use the ActiveX client loader instead.

-- According to Barracuda Networks, the Java exploit described in the US-CERT does not directly affect the Barracuda SSL VPN. All sessions are self-contained and users are not exposed to external links, scripts or redirection without the administrator explicitly adding the resource. Consequently clients are not exposed to "drive-by-download" or other social engineering risks within the SSL VPN context. The vendor recommends using the latest Java update on client machines and disabling Java execution from the browser when not needed.

-- Dell says while some access methods leverage Java technology for proxy based browser access, there are alternative access methods like Connect Tunnel, Mobile Connect or proxy based browser access using ActiveX. The vendor recommends that administrators determine if Java is appropriate for a specific deployment.

-- F5 says the BIG-IP Edge Gateway 3900 is not affected by CVE-2013-0422 as this vulnerability applies specifically to un-trusted code and BIG-IP doesn't allow code from other sources to be run on the platform. In addition, BIG-IP uses Java 1.6 and, according to F5, the vulnerability only affects Java 1.7.

-- Cisco indicated there is some impact on endpoint advanced functionality, especially if users decide to disable Java as a result of the CVE-2013-0422 alert. The main components relying on Java are the ASDM configuration software and Web launch/Web Deploy of the AnyConnect client. The latter can be circumvented by using pre-deployment of AnyConnect.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags watchguardsecurityMicrosoftendpoint securityWide Area NetworkOracle

More about Barracuda NetworksCERT AustraliaCiscoDellF5GatewayGatewayMicrosoftOracleWatchguard

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Susan Perschke

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place