By Tori Wieldt-Oracle on Apr 16, 2013
Oracle has released three updates to Java. It is important to note that they contain several security changes. The releases are:
Java SE 7 Update 21
This release contains new features and fixes for security vulnerabilities, including a new Server JRE, JRE Installer linked with Uninstall Applet on Windows platform, changes to Security Dialogs and more. Oracle strongly recommends that all Java SE 7 users upgrade to this release.
Release Notes Download
In addition to security fixes, Oracle has included new security features in this release. These are significant:
- Starting with Java SE 7u21, a Server Java Runtime Environment (Server JRE) package is available for deploying Java applications on servers. The Server JRE includes the same high performance JVM that is available in the JDK and JRE packages, tools for JVM monitoring and tools commonly required for server applications. It does not include browser integration (the Java plug-in), auto-update, nor installer. Learn more in the Release Notes.
- Changes to Java Control Panel's Security Settings - In this release, low and custom settings are removed from the Java Control Panel(JCP)'s Security Slider.
Depending on the security level set in the Java Control Panel and the user's version of the JRE, self-signed or unsigned applications might not be allowed to run. The default setting of High permits all but local applets to run on a secure JRE. If the user is running an insecure JRE, only applications that are signed with a certificate issued by a recognized certificate authority are allowed to run.
For more information, see the Security section of the Java Control Panel documentation.
- Changes to Security Dialogs - Specifically, all Java code executed within the client’s browser will prompt the user. The type of dialog messages the user sees depends upon the risk factors. Low-risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk. See the Java Source Blog IMP: Your Java Applets and Web Start Applications Should Be Signed.
Resources that will be helpful for both developers and end-users are:
- What should I do when I see a security prompt from Java? (Java.com FAQ)
- Java Content in the Browser — Application Publisher Security Messages (Java.com FAQ)
- Java Applet & Web Start - Code Signing (OTN FAQ)
- Changes to RMI - From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false.
This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException.
For more information, see RMI Enhancements in Java SE 7 documentation.
- JDK for Linux on ARM - this release includes support for JDK for Linux on ARM. The product offers headful support for ARMv6 and ARMv7.