Tuesday Nov 08, 2011

Old Versions of Cisco AnyConnect and Java 6u29

In Oracle Java 6u14, we introduced blacklist support. The blacklist "is a list of signed jars that contain serious security vulnerabilities that can be exploited by untrusted applets or applications". Once a signed jar is listed here, it will never be loaded. Recently, in 6u29, we added more entries into the list. Some of them are for the Cisco AnyConnect Mobility Client, and you can see why this is a very serious problem on Cisco's own support page.

Unfortunately, it seems quite a lot of AnyConnect servers out there are not updated to the latest version. Some are not that ancient, which do no harm to a Windows client, but can still be exploited if the client is on a non-Windows system like Linux or Apple MacOS X. Read the Cisco page above for details.

Therefore, 6u29 users will see an error when trying to install AnyConnect clients from such a server, for example, this report to Cisco. AnyConnect admins, please update your server as soon as possible.

Please note that this is not a vulnerability in Oracle's JRE. On the contrary, 6u29 protects you from any possible exploit of this issue to damage your system.
About

This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.

Search

Top Tags
Categories
Archives
« November 2011 »
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today