Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Open JDK risks

  1. #1
    Join Date
    Jun 2007
    Location
    Canada (West Coast)
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Open JDK risks

    I have been helping people make the switch to Linux.
    One of the questions I get asked, because the security risks of Java have gotten a lot of news coverage this year is "Does Java pose a risk to my files on Linux like it does to Windows files?"

    My reply has been that "Open Source JDK used on Linux systems should be pretty safe because, like other open source applications, the source code gets examined by many people and anything that appears to be a risk is addressed quickly."

    Of course most of the people I help have no idea what "open source" means and to them Java is Java but they take my word for it.

    I am wondering if my assurances are valid or if OpenJDK poses a similar risk to Oracle Java and if I should discourage them from installing OpenJDK?

    What do you other people who have more knowledge about Java have to say about this?

    Thanks

  2. #2
    Join Date
    Nov 2008
    Location
    S.H.I.E.L.D. 6-1-6
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Open JDK risks

    Quote Originally Posted by MacDuff View Post
    I have been helping people make the switch to Linux.
    One of the questions I get asked, because the security risks of Java have gotten a lot of news coverage this year is "Does Java pose a risk to my files on Linux like it does to Windows files?"

    My reply has been that "Open Source JDK used on Linux systems should be pretty safe because, like other open source applications, the source code gets examined by many people and anything that appears to be a risk is addressed quickly."

    Of course most of the people I help have no idea what "open source" means and to them Java is Java but they take my word for it.

    I am wondering if my assurances are valid or if OpenJDK poses a similar risk to Oracle Java and if I should discourage them from installing OpenJDK?

    What do you other people who have more knowledge about Java have to say about this?

    Thanks
    moved to security discussions

    No one can really say for sure, there are some issues that (have) affected OpenJDK and Oracle Java at the same time. Take for example http://www.ubuntu.com/usn/usn-1693-1/
    Don't waste your energy trying to change opinions ... Do your thing, and don't care if they like it.

  3. #3
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Open JDK risks

    There is something important to understand about the relationship between OpenJDK and Oracle Java: OpenJDK 7 is the open source reference implementation of Java -- all Java. Any implementation that calls itself Java, including Oracle Java 7 (per Oracle itself -- Oracle ordained this relationship) must comply with OpenJDK 7 as its standard. Oracle admits even they themselves are not there yet, but they are the ones who have set that standard.

    Many people do not realize that the primary driving force behind OpenJDK 7 in terms of development effort is ... drumroll, please ... Oracle. They actually have a large team of engineers dedicated to it.

    If you ask me, the safe bet is to assume that any vulnerability in Oracle Java 7 is also present in OpenJDK 7, even though that may not always be, in fact, the case in any particular instance. With regard to OpenJDK 7, I don't think that "open source" implies the same sense of "security" that we expect in many other open source projects.

    When all the hoopla was going on last October with Oracle Java 7, Red Hat's labs found that the same sandbox-jumping vulnerability present in Oracle Java 7 was present in OpenJDK 7.

    This isn't a Linux thing. Windows users were vulnerable, too. In fact, one of last year's exploits determined if the JVM was running in Windows, Apple or Linux and behaved appropriately in each OS to exploit the sandbox jump.

    I think the whole JVM ecosystem needs to be reworked from the ground up.

    Edit:

    Instead of the "open source" argument in this case, I think the better case is made by saying that apparmor can provide a deeper level of protection in Linux.
    Last edited by QIII; October 22nd, 2013 at 07:00 PM.
    My Blog
    Ubuntu Help Pages I'm constructing: AMDGPU and AMDGPU-PRO
    Don't let the truth get in the way of a good story!
    This universe is crazy. I'm going back to my own.


  4. #4
    Join Date
    Jun 2007
    Location
    Canada (West Coast)
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Open JDK risks

    Thanks QIII

    I am more knowledgeable on the subject of Java now, and really appreciate your point about apparmor.

    So what is your opinion about the risks of someone using a 'buntu to do on-line banking and similar tasks if they have OpenJDK installed (or any other web based Java apps)?

    Mac

  5. #5
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Open JDK risks

    Frankly, I'm surprised banks still use anything that depends on the Java browser plugins, either Oracle or IcedTea.

    I think it is very risky, but it's a fact of life.
    My Blog
    Ubuntu Help Pages I'm constructing: AMDGPU and AMDGPU-PRO
    Don't let the truth get in the way of a good story!
    This universe is crazy. I'm going back to my own.


  6. #6
    Join Date
    Jun 2007
    Location
    Canada (West Coast)
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Open JDK risks

    I too would be surprised if any financial institution would use Java applications but I think what the user was asking, and I did not quote him completely, was "Does having OpenJDK installed on my computer pose any risk to me if I do connect to a bank to do on-line financial transactions?" This connection would presumably be a secure connection provided by the bank.

    Is it probable that someone using OpenJDK might be exposed to a bad guy/girl using the flaws in Java to remotely implant a key logger or remote desktop viewer or some other tool to obtain access to the users confidential information?

    I have not considered this before. I guess its true that teaching the pupil teaches the teacher.

    Mac

  7. #7
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Open JDK risks

    The applet the bank uses would need to be modified to act as anything other than what it would normally do, no?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  8. #8
    Join Date
    Jun 2007
    Location
    Canada (West Coast)
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Open JDK risks

    Thanks for the help folks. I will assure the newbies that they have nothing to fear from installing OpenJDK on their 'buntu installations, but for reasons other than what I gave them when they first asked.

    This is my 10th installation for people new to Linux and all but one have stayed with it, though not always with the distro that I first recommended/installed. That is the beauty of freedom. In all those installations I have only encountered one Windows application that could not be replaced or satisfactorily substituted for on Linux. We have come a long way in the past 6 years.

  9. #9
    Join Date
    Sep 2011
    Location
    Pennsylvania, U.S.A.
    Beans
    2,449
    Distro
    Ubuntu Development Release

    Re: Open JDK risks

    Does the bank require Java? If not, it's pretty easy to disable the browser plugin except when it's needed. The only time we have needed java is for a chat app. Personally, I prefer to have a small partition with an install used ONLY for transactions requiring security. No Flash, no Java, no facebook, etc. etc.

  10. #10
    Join Date
    Mar 2009
    Beans
    1,670

    Re: Open JDK risks

    Speaking as somebody who writes financial software for fortune 500 companies, yes financial software uses Java. Oracle Financials makes heavy use of it. Oracle database has Java components. Lots of other big financial software from other companies uses it.

    Be that as it may, most of that Java is on a server somewhere, not on your browser. IMO Java applets are a bad idea. Java on a server can be properly protected.

    Java is much more pervasive than a lot of people think. If you own a BluRay player, then you are using Java. Probably if you have a smart TV or set-top-box, or a smart dvd or smart anything else, it has Java.

    Security: Some of the issues that come up are implementation-specific. Other issues are problems with the specification. As with any security vulnerability you need to look at what it is before making judgments.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •