Monday Mar 28, 2016

Module System in JDK 9

From original blog post by Mark Reinhold 

The module system (JSR 376 and JEP 261), was integrated into JDK 9 last week and is now available for testing in early-access build 111.

Project Jigsaw is an enormous effort, encompassing six JEPs implemented by dozens of engineers over many years. So far we’ve defined a modular structure for the JDK (JEP 200), reorganized the source code according to that structure (JEP 201), and restructured the JDK and JRE run-time images to support modules (JEP 220).

Like the previous major change, the introduction of modular run-time images, the introduction of the module system might impact you even if you don’t make direct use of it. That’s because the module system is now fully operative at both compile time and run time, at least for the modules comprising the JDK itself. Most of the JDK’s internal APIs are, as a consequence, fully encapsulated and hence, by default, inaccessible to code outside of the JDK.

An existing application that uses only standard Java SE APIs and runs on JDK 8 should just work, as they say, on JDK 9. If, however, your application uses a JDK-internal API, or uses a library or framework that does so, then it’s likely to fail. In many cases you can work around this via the -XaddExports option of the javac and java commands. If, e.g., your application uses the internal sun.security.x509.X500Name class then you can enable access to it via the option

-XaddExports:java.base/sun.security.x509=ALL-UNNAMED 

This causes all members of the sun.security.x509 package in the java.base module to be exported to the special unnamed module in which classes from the class path are defined.

Read more

Monday Feb 08, 2016

Security Alert Released

Oracle released Security Alert CVE-2016-0603 to address a vulnerability that can be exploited when installing Java 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.

To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8. Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.

Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability. However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.

As a reminder, Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed. Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious

For more information, check out the Security Alert CVE-2016-0603

Thursday Aug 28, 2014

Java and Security at JavaOne

In a Java Magazine interview, Jim Manico (pictured on the right) describes his JavaOne session on security. "I will be speaking about the top coding techniques and essential tools, including several Oracle Open Web Application Security Project (OWASP), Apache, and Google open source Java projects that will help developers build low-risk, high security applications". Jim is an author and educator of developer security-awareness training. You can find more details of his session in JavaOne content catalog

His session is part of a dedicated track about Java and Security, which addresses topics ranging from security tools and coding techniques to innovative products, and includes participation from recognized security leaders discussing policies and best practices. While the value of offensive security techniques is recognized, the focus of this track is primarily on defensive measures. 

Check out all the topics in the Java and Security track 

Tuesday Aug 05, 2014

Java and Security

Is Java inherently insecure? As a Java developer, what things should you think about in terms of security? How is ECC is better RSA? Is RSA good enough security? Hear what James McGivern, a software engineer in Cisco's Cloud Web Security group, has to say about securing your Java applications.

Resources

ECC vs RSA: Battle of the Crypto-Ninjas James' slides from Devoxx UK 2014

Schneier on Security

Using the New JDK 8 Security Features: from JavaOne 2013

Oracle Security Resource Center

Oracle Java Platform Group, Product Management Blog

Security Curmudgeon Blog

A (relatively easy to understand) primer on elliptic curve cryptography

Friday May 31, 2013

Security and Java!

In a detailed blog, Nandini Ramani, Vice President of Software Development, summarizes Oracle steps to address security issues on the Java platform. Amongst the most recent changes,  she explains that "it is now possible to run signed applets without allowing them to run outside the sandbox, and users can prevent the execution of any applets if they are not signed". She lists the impacts of those changes and mentioned for example that "Oracle urges organizations whose sites currently contain unsigned Java Applets to sign those Applets according to the documented recommendations."  

She also explains that "Oracle has found that the public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organizations committed to Java applications running on servers.  As a result, Oracle is taking steps to address the security implications of the wide Java distribution model, by further dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments). With Java 7 update 21, Oracle has introduced a new type of Java distribution: “Server JRE.”"

She added that "starting in October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products.  In other words, Java will now issue four annual security releases."

Check out her original blog 

Tuesday Apr 30, 2013

Everything on the NetBeans Platform

NetBeans Principal Product Manager Geertjan Wielenga describes a myriad of software tools and applications in his blog in fields as diverse as biology, security, airport management, data analysis, data modeling, radiology, home automation, retail, and equipment safety - all of them created on the Netbeans Platform: 
  • Alphalogic, an easy to use tool with high level integration, control and monitoring for engineering systems and security systems 
  • Platypus Application Designer, a tool to develop the structure of database applications, reusable SQL queries and client/server applications
  • Sypherlink Harvester, a tool collecting metadata, database statistics, sample data and more in relational and non-relational data sources
  • Total Airport Management (TAM) 
  • Summit Management Systems, an data acquisition and floor plant monitoring tools for assembly processes
  • Integrated Service Technology, a testing and analysis solution for integrated circuits 
  • DigiMed, a radiology software for hospitals in Mexico 
  • Ksenia, a security system configuration software 
  • Vimar, a home automation management software 
  • Phyloviz, a visualization software tool for Phylogenetics
  • Delcam Crispin, a footwear CAD/CAM software 
  • Autopsy, a digital forensics platform
  • Sristy Technologies, a software solutions to analyze seismic data, drilling, completion and reservoirs for the energy sector
  • HEIDE, a multiprocessor microcontroller platform 
  • SIEUFERD, a universal user interface for relational databases 
  • Polaris Slipstream, an extensive data modeling application designed for NASA Mission visualization
  • MammoControl DIANNA, a tools analyzing and transmitting managraphy images for the German Breast Cancer Screening Program 
  • IGS-Bio, a motion capture software application
  • Klinika Medical Assistant, a EMR software used in the Philipines 
  • A series of software from Satlantic, an ocean technology company 
  • Mongkie, an integrated network visualization platform for biological data 
  • 4Vending, a vending machine management solution 
  • Piraso, an open source debugger and analyzer tool 
  • SafetyMach, a European safety requirement software 
Check his blog for details on each project. 


Tuesday Apr 16, 2013

Java SE 7 Update 21 Release and more

Oracle has released three updates to Java. It is important to note that they contain several security changes. The releases are:

Java SE 7 Update 21
This release contains new features and fixes for security vulnerabilities, including a new Server JRE, JRE Installer linked with Uninstall Applet on Windows platform, changes to Security Dialogs and more. Oracle strongly recommends that all Java SE 7 users upgrade to this release. 
Release Notes   Download

Java SE 6 Update 45
This release contains fixes for security vulnerabilities. 
Release Notes   Download

Java SE Embedded 7 Update 21
This release is based on Java Development Kit 7 Update 21 (JDK 7u21) and provides specific features and support for embedded systems. 
Release Notes   Download

Security Changes 

In addition to security fixes, Oracle has included new security features in this release. These are significant:

  • Starting with Java SE 7u21, a Server Java Runtime Environment (Server JRE) package is available for deploying Java applications on servers. The Server JRE includes the same high performance JVM that is available in the JDK and JRE packages, tools for JVM monitoring and tools commonly required for server applications.  It does not include browser integration (the Java plug-in), auto-update, nor installer. Learn more in the Release Notes.

  • Changes to Java Control Panel's Security Settings - In this release, low and custom settings are removed from the Java Control Panel(JCP)'s Security Slider. Depending on the security level set in the Java Control Panel and the user's version of the JRE, self-signed or unsigned applications might not be allowed to run. The default setting of High permits all but local applets to run on a secure JRE. If the user is running an insecure JRE, only applications that are signed with a certificate issued by a recognized certificate authority are allowed to run. For more information, see the Security section of the Java Control Panel documentation.

  • Changes to Security Dialogs - Specifically, all Java code executed within the client’s browser will prompt the user. The type of dialog messages the user sees depends upon the risk factors. Low-risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk. See the Java Source Blog IMP: Your Java Applets and Web Start Applications Should Be Signed.

    Resources that will be helpful for both developers and end-users are:
  • Changes to RMI - From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false. This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException. For more information, see RMI Enhancements in Java SE 7 documentation.

  • JDK for Linux on ARM - this release includes support for JDK for Linux on ARM. The product offers headful support for ARMv6 and ARMv7.

Thursday Mar 28, 2013

IMP: Your Java Applets and Web Start Applications Should Be Signed

Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.

certificateThe April 16th, 2013 Critical Patch Update for Java SE (7u21) will change the launch behavior related to running Java Applets and Web Start Applications. Users will be presented with a dialog(s) that will provide additional information to the user who can choose to continue or terminate execution. For the best possible user experience, your Applets and Web Start Applications should be signed. 

What does this mean? Java SE 7u21 will introduce changes to Java browser plug-in behavior, encouraging application authors and vendors to sign code with a certificate from a trusted Certificate Authority. You, as a developer, are strongly encouraged to sign code now in preparation for this release and future releases.

For more information, read Java Applet & Web Start - Code Signing on OTN.

Tuesday Feb 19, 2013

Updates to February Critical Patch Update for Java SE

Oracle has released Updates to February 2013 Critical Patch Update for Java SE. This update contains fixes for additional security vulnerabilities. Oracle recommends that customers apply Critical Patch Updates (CPUs) as soon as possible. You can read details on the Oracle Software Security Assurance Blog.

Released today is:

Auto-update and Manual Update of JRE 6 will Replace JRE 6 with JRE 7

Since JRE 6 has reached its End of Public Updates, Oracle is taking steps to protect consumer desktops. Oracle will not leave a version of Java installed for which Oracle no longer provide security updates. 

In order to do so, when updating from JRE 6, the update mechanism will not only install the latest version of JRE 7 but will also remove the highest version of JRE 6 on the system. This change will happen when the system is updated via the auto-update mechanism or by checking for updates directly from the Java Control Panel. For more information, read the Java SE 7 Update 15 Release Notes.  

As always, consumers can get the Java Runtime Environment (JRE) from Java.com. Developers can get the Java Development Kit (JDK) and the Java Runtime Environment (JRE) from the Oracle Technology Network.  

Friday Feb 01, 2013

Critical Patch Update for Java SE

Oracle just released the February 2013 Critical Patch Update for Java SE. Oracle accelerated the release of this update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers has been addressed with this Critical Patch Update. In addition to a number of security in-depth fixes, this update contains fixes for 50 security vulnerabilities. Oracle strongly recommends that customers apply CPU fixes as soon as possible. You can read details on the Oracle Software Security Assurance Blog.

Released today is:

  • Java SE 7 Update 13
  • Java SE 6 Update 39
  • JavaFX 2.2.5

Consumers can get the Java Runtime Environment (JRE) from Java.com. Developers can get the Java Development Kit (JDK) from the Oracle Technology Network.  

About

Insider News from the Java Team at Oracle!

duke
Links


Search

Archives
« May 2016
SunMonTueWedThuFriSat
1
2
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today