As you may well be aware, late last week a concerning report was released by Security Explorations which provided findings that alert to a severe Java Runtime Environment remote code execution threat. This threat stems from a 30 month old faulty patch from Oracle which Security Affairs reported “CVE-2013-5838 was rated by Oracle 9.3 out of 10 because it could be exploited remotely by unauthenticated users to completely compromise a vulnerable system.”
While Java vulnerabilities are nothing new, this specific instance is particularly dangerous for a few reasons:
- It is well known and understood by attackers and even the most up to date JRE patch levels do not prevent this vulnerability
- Security Explorations went public PRIOR to informing Oracle and was directly quoted in a ComputerWorld article pertaining to this threat “the company’s new policy is to inform the public immediately when broken fixes are found for vulnerabilities that the company has already reported to vendors.” Then added “We do not tolerate broken fixes anymore”
- This means there is a lot of noise about a known opening in any company’s attack surface should attackers retain knowledge of what software to look for
As the title of this blog indicates, 1E software has zero exposure to this threat. Additionally, this is a perfect example of why Java code will not be found in any 1E product now, or in the future and how Software Lifecycle Automation remains the most secure solution for the digital business. We strongly recommend that any company using Java code within their environment (plugin based or self-contained) take a serious look at this exposure as there is no known fix/patch/workaround other than to remove or disable any software leveraging this code.