As you may well be aware, late last week a concerning report was released by Security Explorations which provided findings that alert to a severe Java Runtime Environment remote code execution threat. This threat stems from a 30 month old faulty patch from Oracle which Security Affairs reported “CVE-2013-5838 was rated by Oracle 9.3 out of 10 because it could be exploited remotely by unauthenticated users to completely compromise a vulnerable system.”
While Java vulnerabilities are nothing new, this specific instance is particularly dangerous for a few reasons:
As the title of this blog indicates, 1E software has zero exposure to this threat. Additionally, this is a perfect example of why Java code will not be found in any 1E product now, or in the future and how Software Lifecycle Automation remains the most secure solution for the digital business. We strongly recommend that any company using Java code within their environment (plugin based or self-contained) take a serious look at this exposure as there is no known fix/patch/workaround other than to remove or disable any software leveraging this code.