An Oracle blog about Java Technology

Oracle Speaks up on Java Security

Guest Author

As many of you are keenly aware, there has been a veritable media firestorm around the recent Java vulnerability. As you know, the vulnerability pertains to Java on the browser, not server-side Java, desktop Java or emdedded Java. You may also have been frustrated with Oracle's relative silence on the issue.

Hopefully it comes as some relief that Oracle is now starting to openly speak up on the issue. The lead for Oracle Security Martin Smith and Doland Smith from the OpenJDK team very recently had a conference call with worlwide JUG leaders. The recordings of the meeting is available here. This was a frank two-way discussion with Java community leaders about Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage in some venues. As Donald and Martin indicate on the call, we can expect this to be the tip of the iceberg of what will be done on the Java Security and communication fronts.

You are encouraged to participate in this crucial dialog and provide your feedback.

John Spragge offers his opinions on these very issues in his intelligent, insightful blog post: A passionate defence of Java's virtues. It is well worth a read if you are a fan of GlassFish, Java EE or Java.

Join the discussion

Comments ( 7 )
  • Mark Scott Wednesday, January 30, 2013

    The best thing you can do about Java security? Release update catalogues so enterprises who have invested time and money into Microsoft System Centre Configuration Manager can patch Java RE and EE utilising existing infrastructure.

    Adobe do this for Flash and Reader and you should follow suit, and quickly.

  • Reza Rahman Wednesday, January 30, 2013

    Thanks for the thoughtful suggestion. I'll try my best to pass it on.

  • Java concern Sunday, February 10, 2013

    Is it that we should disable java and keep it disabled? When is the fix even likely to appear?

  • Reza Rahman Sunday, February 10, 2013

    I am as much in the dark about this as you are as to what the official Oracle recommendation is. This blog: https://blogs.oracle.com/security/ is supposed to be the definitive source on such things but I'm not sure it actually addresses any of these questions (it just reads like release notes to me).

    The only thing out there that I know of is Cameron's purely personal suggestions: http://www.infoq.com/news/2013/01/jdk6-retirement (look at the discussion thread). Given what I know personally so far, I think Cameron's suggestions are on the money.

    Sorry I can't give you a clearer answer. We can all hope one will be forthcoming soon...

  • Steven Friday, February 22, 2013

    Im seconding that request! Get us a SCUP catalog and fast! Help us secure our enterprise!


  • Reza Rahman Friday, February 22, 2013

    Just so you are aware, I have already passed on this bit of feedback. The options are being carefully weighed as Milton and Doland promised.

  • Agence web Wednesday, March 27, 2013

    Very interesting thank you very much good work

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.