Why Java is Not Your Friend

Oracle’s Java is one of the most widely used languages in software. Used to create applications, most computers already have it and if not, many users have downloaded a program with Java runtime or  have used its web plugin which allows applications to run in a browser. It’s even built into most console servers.

According to Oracle 1:

  • There are 10 million Java developers worldwide
  • 15 billion devices run on Java
  • It’s the number one development platform

So, if something is this widely used, why doesn’t Opengear use Java? The security holes. Many sources 2 note that Java is one of the most vulnerable software applications that exposes computers to cyberattacks. There are also multiple versions constantly floating around which adds to the challenge.

Many Versions of Java

There are so many versions of Java floating around and some of the older equipment only supports up to a certain version. Keeping multiple versions around so that they can interface with legacy programs can be challenging. Those systems, most of them, will never benefit from the latest security fixes. This means organizations are at the mercy of each individual vendor to ensure that their interface is updated with the latest version of Java. Just because there is a new version of Java doesn’t mean all the vendors upgrade. If an organization’s interface is a legacy system, this could mean that a vendor is no longer working on it.

Increased Security Holes

Over the past few years, it seems as though Java vulnerabilities have been popping up more and more frequently. Many of you may recall or have been affected by the 169 security fixes in January 2015 or the 98 security fixes from April 2015 reported by Oracle 3. These instances aren’t isolated. Each year, the number of patch advisories seem to increase in an effort to address reoccurring security holes.

Java was designed to meet the needs of most users, so it boasts widespread compatibility. It runs on a host of devices including computers, printers and parking payment systems. It makes sense that a platform of this size provides one of the best options for a security attack.

Where do these vulnerabilities come from? There are a number of sources that are specific to the Java platform, these include vulnerabilities in the sandboxing mechanism and class library. Java also doesn’t automatically update itself, like most programs. To make matters worse – it only checks for updates once monthly which adds to the increased likelihood of an attack.

Cisco’s Common Vulnerability Scoring System calculates a specific threat, vulnerability CVSS score. This system looks at environmental, temporal and base parameters to convey the severity of vulnerabilities which helps organizations determine the priority of their response. Cisco’s report from 2015 showed Java’s CVSS score has improved over the past few years, however the still has some holes. Java exploits aren’t necessarily difficult to patch however, most users of the program neglect to do so, once they become available creating myriad of problems.

Reduced Vulnerabilities with Opengear

Opengear devices are Java free.  We utilize a standard HTTPS interface to manage our devices such as the IM7200, Resilience Gateway and OM2200. This gives a standard and secure network infrastructure with:

  • Locked down management interfaces with local and remote AAA
  • Encrypted sensitive management traffic
  • Provided features for logging audit trails and compliance

Learn how Opengear devices provide always-on availability and increased resilience for your organization – all Java free.

 

 

 

 

1 https://go.java/index.html
2 https://heimdalsecurity.com/blog/java-biggest-security-hole-your-computer/
3 https://tools.cisco.com/security/center/resources/cvss.html