10 Replies Latest reply on Feb 6, 2013 8:20 AM by TSGal

    Java 7 vulnerability

    TWE

      Title

      Java 7 vulnerability

      Your post

           I saw on slashdot that Oracle issued an emergency patch on Sunday for the Java 7 vulnerability. Does the FMSA need this to avoid exploits related to older versions of Java?

           For more details look at this

      http://developers.slashdot.org/story/13/01/14/1641248/security-expert-says-java-vulnerability-could-take-years-to-fix-despite-patch

           and

      http://developers.slashdot.org/firehose.pl?op=view&type=story&sid=13/01/14/0016200

        • 1. Re: Java 7 vulnerability

               TWE:

               Thank you for the post.

               Please review FileMaker's Knowledge Base Article 11446 for additional information. Here is the full URL:

          http://help.filemaker.com/app/answers/detail/a_id/11446/

               TSFalcon
               FileMaker, Inc.
          • 2. Re: Java 7 vulnerability
            TWE

                 Article 11446 didn't tell me anything that I didn't already know. The question is "Is it is important to install the new Java for FileMaker Server Advanced or not".

            • 3. Re: Java 7 vulnerability

                   TWE:

                   Thank you for the reply.

                    

                   If you have any version of Java prior to the most recent version released by Oracle, then there is security vulnerability that can be exploited through web browsers running Java 7 Update 10 or earlier.

                    

                   If your concern is Java's security, then the update is recommended since according to Oracle, "This release contains fixes for security vulnerabilities." 

                    

                   However, FileMaker Server 12 Advanced and the FileMaker Server Admin Console will continue to function as before with previously tested versions of Java.

                    

                   For more information on Oracle Security Alert for CVE-2013-0422 see the following URL:

                    

              http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

                    

                   "Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."

                    

                   TSFalcon

                   FileMaker, Inc.

              • 4. Re: Java 7 vulnerability
                TWE

                     Sorry, I'm still not getting the answer I'm looking for. Are either FileMaker Server 12 Advanced using Instant Web Publishing or FileMaker Server Admin Console exposed to this Java vulnerability? I'm looking for a recommendation from FileMaker, not Oracle.

                • 5. Re: Java 7 vulnerability
                  philmodjunk

                       You might consider that few users browse the web from their server...

                  • 6. Re: Java 7 vulnerability

                         TWE:

                         While this Java update is not critical to FileMaker Server, it is a very important Java security update. 

                          

                         FileMaker's recommendation is that users of all versions of FileMaker Server 11 and FileMaker Server 12 apply the update.

                          

                         TSFalcon

                         FileMaker, Inc.

                    • 7. Re: Java 7 vulnerability
                      tjsoftworks

                           I have asked this question many times and I also never get answer that helps me make an informed decision that is appropriate in any given moment for a particular FileMaker Server version, on a particular OS version with a particular JAVA version.

                           Assumptions:

                           1)  I absolutely need to keep a particular FileMaker Server 9.x, 10.x, 11.x, 12.0 up and running for a customer

                           2) It is working just fine on the current OS but I need to use the File Maker Server Admin GUI is some webbrowser on some machine - either the one the server is running on or another one, I really don't care which one.

                           3) There are no networking issue, firewall issues in getting to the server ports - 16000, 160001, etc.

                           What should I do about the JAVA version - 1) on the Server for FMS? - s there anything that the FMS needs besides it's own FMS Version updates?

                           2) What should I do with the JAVA version of the server hosting the FMS? Does it matter? Should I do anything? Is there a really vulnerability if the server is only used as a host to FMS?

                           3) Based on the above answers, do I need to do anything with JAVA environment for the OS in general. i.e. Change version? Enable this or that?

                           4) Now if I cannot use the current OS/FMS/JAVA version to launch FileMaker Server Admin console on a machine ( on the server or on another computer client ). What version of JAVA in the browser is compatible with FMS 9.x 10.x 11.x 12.x? What are "reasonable" settings to be safe with respect to communications with ONLY the FileMaker Server.

                           These questions and perspectives are specifically limited to only FileMaker Server and FileMaker Server Admin.

                           IMHO: FileMaker, Inc. should be able to provide guidance specifically on the intersection of FMS/OS/Java at any give moment. In the past, I have always had to experiment and make educated guesses but now this is getting way out of control. IMHO, FileMaker, Inc. needs to take the lead in providing a clear answer if I concede that the answer is ONLY for FileMaker Server to FileMaker Server Admin console ( using java ).

                           I believe this is what the above posts are looking for at minimum.

                      • 8. Re: Java 7 vulnerability
                        TSGal

                             All:

                             Thank you for your posts.

                             We are continuing to learn more about this Java issue daily, and our preliminary report is that the latest download of Java appears to be secure for FileMaker Server 11 and 12.  FileMaker Server 9 only runs with Java 6 release 7, and currently, FileMaker Server 10 has not been tested.

                             TSGal
                             FileMaker, Inc.

                        • 9. Re: Java 7 vulnerability
                          tjsoftworks

                               Thank you for the information on FMS9 and Java 6 release 7...... except what platform? and what platform version OS X 10.6, 10.7, 10.8? Win Server 2003, 2008, 2012???

                               On FMS10 .... are you saying that since release years ago, no compatibility has been done at all ?

                               And then finally the first sentence where FMS11 and FMS12 are mentioned .... are you saying it is safe to upgrade to the lastest version of Java ( today I believe that is Java 7 release 12 no.... I just checed and we are up to Java 7 release 13 and Java 6 Update 39 as of today. )

                               I have been requesting a chart form that lists OS Version, FileMaker Server version, and Java Version for a long long long time ....

                                

                               Even your data point on FileMaker Server 9  with Java release 7 doesn't tell me whether is is safe to run this with the browser plug-in turned off and only have FileMaker Server 9 turned on..... Then in the cases which interaction with the server is required, I would temporarily turn off the browser plug-in, interact with the web gui FileMaker Server Admin and then turn it back off. I assume ( perhaps wrongly ) that that would be of minimal risk. Am I correct?

                               We really need help with more details and guidance. We need to know before the update is applied that it is not going to break the FileMaker Server Admin interaction, or have a method of sandboxing the version so that it can easily be brought back as needed.

                               It is my opinion that FileMaker Server and it's inability to weather across OS system updates and Java updates that is really kill productivity.

                               In contast, I have a CrashPlan Server which is 100% java that has a web interface that has never in 4 years ever required me to think about what java version is safe or right or incompatible. In my mind their are two paths forward that are workable: 1) spend the test time to keep the server own make the right decision as soon as a java patch comes out or 2) leave java behind quickly in need for any browser interaction via java. How about an app? a native app?

                                

                          • 10. Re: Java 7 vulnerability
                            TSGal

                                 Terry J Fundak:

                                 The Java vulnerability occurs with all versions prior to the current version.  There would definitely be an issue with FileMaker Server 9 since FileMaker Server 9 can only run with a maximum of Java 6 release 7.  Testing has reported the latest Java release has fixed any potential vulnerabilities with FileMaker Server 11 and 12.   Full testing has not been completed.  No information available about FileMaker Server 10.

                                 Currently, the Admin Console is a Java based application, and therefore, it will work on Mac OS or Windows operating systems.  At this time, we are unaware of any specific system issues.

                                 I'll report more as information becomes available.

                                 TSGal
                                 FileMaker, Inc.