Today, our Enterprise Architect mentioned that a recent vulnerability was discovered in the JRE 1.7. I found an article the JRE 1.7 vulnerability recommending disabling Java.
I am running JDK 1.5 and 1.6 at work (like many organizations, we're not on the latest of technologies), so no problems there.
At home I am doing development with Java SE 7u6. I'm playing with Grails, Spring Security, trying to keep learning.
I have already gone and disabled the Java Plug-in in all my browsers on my home development machine. However, does anyone know if my home dev machine is still vulnerable by virtue of having the JDK 7 installed? I did find this article on US-CERT declaring the vulnerability notice: Oracle Java JRE 1.7 Expression.execute() fails to restrict access to privileged code.
It sounded like as long as the browser is not able to run Applets, I should be fine (it should not with the Java Plug-in disabled). However, what about Java Web Start/JNLP? Could that get invoked? That's the only other thing I could think of, other than Applets, that might be of concern.
Just wondering if I need to go through the efforts of uninstalling my Java SE 7 and dropping back to a JDK6.
What have others done upon learning of this security issue with JRE 1.7?
The details of the latest vulnerability have not been made public. However, my understanding is that it only affects Java browser plugins. The recommended mitigation is to disable the Java browser plugins. No mention is made of non-plugin Java, so I think it is safe to assume that your dev machine is not vulnerable simply by virtue of having Java 7 installed.
However, what about Java Web Start/JNLP? Could that get invoked?
I don't think so. I think it is safe to assume that the people who found the problem would have thought of that potential attack vector. (But simple common sense says that you wouldn't want to be launching random JNLP programs in the first place ...)
I understand it as if you have to visit a malicious site to become infected. So no, you are not at risk simply by virtue of having Java 7 installed in your browser.
Some useful links:
US-CERT link which explains the vulnerability:
http://www.kb.cert.org/vuls/id/636312
Oracle link to their Security Alerts (not just Java, but also including Java):
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
As of writing (30 Aug 2012) I cannot see that Oracle has yet issued an alert for this. I can't really figure out if they only issue such alerts AFTER a patch has been created. According to US-CERT site Oracle was officially alerted on 29 Aug 2012 but they may already have known about it because blog reports about the vulnerability started a few days before the 29th.
What you can read on the Oracle site is that the next planned "Java SE Critical Patch Update" is on 16 October 2012. Surely they won't wait for that but release an out-of-band patch for this vulnerability asap. (they've done so before)
Related
We are still running Magento community version 2.3.4x.
We are upgrading since 4 months to current version, there were many plug-ins not compatible and so on.
Now we are about 2-3 weeks before we can fully switch.
On 11. of Oct. Adobe released:
Security update available for Adobe Commerce | APSB22-48
https://helpx.adobe.com/security/products/magento/apsb22-48.html
But our version of out of service since one month.
So we can not switch now, and there is also no patch.
Adobe Commerce 2.4.5 and earlier versions
What can we do until then?
I know this is not an adequate question here, but since It will probably affect 60% of all Shop worldwide, it's necessary to ask this here.
Maybe try this: https://github.com/EmicoEcommerce/Magento-APSB22-48-Security-Patches
This repository contains Magento 2 Patch Files for the recently found security issues on 12-10-2022. The patch files aim to fix the CVE-2022-35698 and CVE-2022-35689 vulnerabilities.
Virgo tools limits the maximum Dynamic Web Module version of Web Application Bundles to the old 2.5
It seems that my Virgo server version (3.6.2) is using Tomcat 7, that is able to manage more recent servlet specifications (I need 3.0)
I'm beginning to think that Virgo tool are not as actively mantained as Virgo server is. In fact, tools documentation talks about Juno and Indigo releases and Kepler is going to be replaced in 5 days as stable release
Are Virgo tools a commonly used way to develop against the Virgo server in eclipse?
Are they been slowly forgotten by users/developers?
With the Eclipse Kepler release (June 26, 2013), 4 projects were removed. Virgo was one of them.
I just stumbled upon this post - for anyone still interested, a quick update: Yes, the Virgo Tools are still actively developed. We are using them since 2014 and are using them in Eclipse Mars --> Neon --> Oxygen.
The tooling is working really well in our case, we have also set up a fork for extending the tooling to better support our development. If you are interested, have a look at:
https://github.com/esd-ches/virgo-tools
I would like to ask a question about wether or not I should do the migration to Liferay 6.2.
Me and my team are working since 4 month on a portal quite big developed with Liferay 6.1 (CE edition) and now, since the project publication date is still 4-5 month ahead (so I do have time), I was wondering if doing the migration to 6.2 now is a good choice.
I already tried the new version and I must say I am impressed about the new features and since now I haven't find any bugs.
Anyone had any experience on developing portlet/themes on Liferay 6.2? Is is worth it to do the migration now or shall I wait for the next ga2 release?
Any suggestion is very welcome.
Thanks
Depends mostly on the kind of work you've done on that portal. Even slight upgrades in Liferay, can have major differences in the source code. If this affects the work you've done, it will affect the upgrade too. For example, things will get difficult to update if :
You have developed custom portlets, as they will need recompilation for the new runtime
Developed Portlets that use ServiceBuilder might need more work than just a recompilation
Using Hooks (even simple jsp hooks) might need re-writing. ext hooks will almost certainly need to, and it can become a major pain
On, the other hand, if most of your work had to do with light theming and content management, it could become an relatively easy and painless upgrade.
In any case, make sure to keep a backup of your Liferay Database, because once you upgrade, there is no way to downgrade back to the initial version.
As you're using CE, my recommendation is to upgrade as soon as possible. Reason is that there are no more updates for 6.1, now that 6.2 is out. If you're going live in 5 months, you'd be on a version that's unsupported for half a year at the date of publication.
The alternative is to go to EE, which is supported for ~5 years from release, e.g. you'll have several years of support in front of you. However, as Liferay is paying my salary, note that I might be biased...
Of course, being unsupported "by Liferay" does not mean that you won't be able to fix any bugs or issues, but you'll have to do this on your own, and sooner or later you should upgrade anyway... If you're not yet live, I'm recommending to do it sooner.
Liferay 6.2 does not (yet) support as many marketplace apps as Liferay 6.1. Also Liferay 6.2 CE has bugs, and patches are available only to EE subscribers; this forced us to use Liferay 6.1 CE instead of 6.2 CE.
You will have issues if you are using the Vaadin framework under Liferay.
Liferay 6.2 CE does not support Vaadin out of the box ... it is delivered with Vaadin 6.8, but it is broken - your portlet code will break.
You would have to consider moving to Vaadin 7.1 at best ... and that is a non-trivial code migration as many items have been deprecated between 6.8 and 7.
I went that route and the learning curve was unexpectedly steep.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I have done some research on JavaFX over the last year, and even built some basic desktop apps with it.
It's described as being used to create RIAs (Rich Internet Application).
http://en.wikipedia.org/wiki/Javafx
But can it really be deployed by a web browser? I have only deployed it via an executable JAR file.
How easy is it to deploy via web browser? Does it work? Does anyone have experience with this?
http://docs.oracle.com/javafx/2/deployment/deployment_toolkit.htm
Update for the March 2018 Java Client Roadmap
I encourage readers interested in this question to review the following Oracle Whitepaper:
Java Client Roadmap Update
The above paper outlines the official Oracle position on related technologies (JavaFX/Swing/AWT/Applets/WebStart), the dates until which it intends to support those technologies and which of those technologies it intends to transition to open source development projects separate from the JDK and JRE.
Update for Java 9, Oct 2017
According to the Java 9 release notes:
Java Applet and WebStart functionality, including the Applet API, The Java plug-in, the Java Applet Viewer, JNLP and Java Web Start including the javaws tool are all deprecated in JDK 9 and will be removed in a future release.
So, for Java 9+, deployment of JavaFX in a browser using a Java plug-in will only be possible using deprecated technology. Oracle notes in another part of the Java 9 release notes:
Deprecates the Java Plug-in and associated applet technologies in Oracle's JDK 9 builds. While still available in JDK 9, these technologies will be considered for removal from the Oracle JDK and JRE in a future release. Applets and JavaFX applications embedded in a web page require the Java Plug-in to run. Consider rewriting these types of applications as Java Web Start or self-contained applications.
Note: Java Web Start isn't really an alternative as that is also deprecated (anyway, it's different from an application embedded and rendered within a browser page). Also note for those who wish to use Web Start, even though it has now been removed from Oracle JDK 11+, it is available as open source, info on this is at OpenWebStart.
As an alternative which offers similar functionality, consider something like jpro, which deploys JavaFX applications in a browser without a Java plugin (jpro is currently only in closed beta, so it is not a viable solution as of October 2017, but maybe someday in the future...).
For now, I would recommend that the best way to deploy JavaFX applications is as self-contained applications, running outside a browser.
Previous answer for Java 7 and 8
JavaFx - can it really be deployed in a browser?
Yes, JavaFX applications can be deployed so that they run inside a web browser hosted html web page.
The technology which allows this to occur is the Java Plugin. This plugin is currently a NPAPI based browser plugin solution. The Java Plugin is shipped with the Oracle Java 7 Runtime Standard Environment.
Not all browsers are supported, only those listed on the JavaFX Supported Configurations page.
How easy is it to deploy via web browser?
The easiest way to deploy a JavaFX project in a web browser is:
Create a new JavaFX project in NetBeans.
Develop a simple HelloWorld App.
Follow the instructions for Deploying your first JavaFX Application.
This is not difficult (in my opinion).
Alternatively, follow instructions on the detailed reference for Deploying JavaFX Applications (or use 3rd party tools). For many projects, using a tool other than the NetBeans IDE to perform packaging is a better approach. However, it is generally easier to let the NetBeans IDE handle deployment packaging tasks for you.
What follows is not related to answering the original question, but provides some opinions and information requested in comments on this answer.
Some Advice
There are pitfalls to deploying Java in a browser. I encourage you to do your own Google research on the subject.
In my mind, based upon the current JavaFX 2.x deployment model, for most application types that require a browser as the primary runtime container, using JavaFX is not an appropriate solution.
Examine the deployment and runtime requirements for your application. Based on your requirements, and knowledge of the JavaFX browser based execution model, decide if a browser based deployment using JavaFX technology is the correct mechanism for your application.
A couple of potential difficulties for browser embedded JavaFX applications
Some important browsers (e.g. Internet Explorer 10, iOS Safari and soon Desktop Chrome) don't permit execution of plugins using the NPAPI currently used by the Java browser plugin => some of your target users may be unable to use your application.
With a browser embedded application, you don't have complete control over the runtime on which your application executes (browser + Java runtime + plugin interface) => an application which was working when first installed may stop functioning as expected after an update to these runtime components.
Deployment Alternatives
If a browser based deployment model is not appropriate for your application, there are other ways to deploy JavaFX applications (e.g. WebStart, stand-alone jars and self-contained applications).
JavaFX - can it really be deployed in a browser?
No, not any more.
The answer used to be yes, as given in this answer, although even in 2013 when that was written the writing was on the wall. However, here in 2016 the answer is no, it cannot. Modern browsers essentially don't support NPAPI any longer (Firefox does for Java, but only until the end of the year), and NPAPI is required for the Java plugin.
As of 2016 you can use jpro without any browser plugin. And it even runs on mobiles.
Edit 1: The project is free for non-commercial or open source projects. A "hello world" can be found here
I found solution by chance here.
what was missing in my web project.
I must add this to web.xml file :
<mime-mapping>
<extension>jnlp</extension>
<mime-type>application/x-java-jnlp-file</mime-type>
</mime-mapping>
I need to deploy a JavaFX2.2 application on Mac machines. OS X 10.7 or later are fine with Java 7u7. What about OS X 10.6? Do we have any workaround? I think 10.6 can update upto Java 6u35 and somewhere I read 2.1 & 2.2 can run with 6u26 or later (However there are no support though which is ok).
Can someone please help me to accomplish this? Can we just download standalone JFX2.2 runtime from somewhere and put it on OSX10.6? Or any other alternative option? Is there a way we can copy/package 2.2 runtime along with the app itself?
Please help.
Is there a way we can copy/package 2.2 runtime along with the app itself?
Yes, see the documentation on self-contained application packaging which is supported on OS X 10.7+ and includes JavaFX 2.2+ and jre7u6+.
What about OS X 10.6?
Quote from an oracle forum thread by the JavaFX lead regarding Snow Leopard support and JavaFX 2.2:
FWIW, there are in fact some APIs we use from Lion that aren't on Snow Leopard. Also, Apple only supports the current release of the OS - 1 (so now it would be Lion and Mountain Lion), and for deployment we needed special hooks. The thought was that it didn't make sense to support versions of the Mac OS that Apple themselves didn't support any longer.
Some of the early developer builds of JavaFX (2.0/2.1) did run on Snow Leopard, but they were only early development builds and not production ready, plus, I don't think the license on those builds allow you to use them in production code. I don't think these early 2.0/2.1 development builds are distributed by Oracle anymore.
When JavaFX is fully open sourced, you might be able to undertake an effort to backport it to Snow Leopard, but by then it probably wouldn't be worth it.
As a hack, you could try adding the JavaFX runtime bundled in jre7u7+ to an Apple Java6u35 and see if you can run an app - but this would be a totally unsupported configuration likely to break and may also have distribution licensing issues.
Reasons why mac does not work with javafx.. currently
From: https://blogs.oracle.com/henrik/entry/oracle_jdk_and_javafx_sdk
Quote:
Note that support on Mac is for development only; e.g. we don't expect your Mac to be running a business critical server-side application...
Context: JavaFx is still in development on mac since java7, full on support was expected at java 8. Java 8 will be real eased september
From: http://www.oracle.com/technetwork/java/javafx/downloads/supportedconfigurations-1506746.html
Quote:
MacOs is only supported in 10.7.3 or greater (Mac OS X Lion, the second newest operating system)
Context: Stating JavaFx supported configurations. There are many browsers where JavaFx will not work!
From: http://docs.oracle.com/javafx/
Quote:
JavaFX applications run on a desktop. On Windows, they also run in a browser, and over the web.
Context: This with following quote implies only developmental progress on macOS
From: http://ed4becky.net/homepage/javafx-from-the-trenches-part-2-its-not-always-about-the-sex/?rcommentid=26916&rerror=incorrect-captcha-sol&rchash=35499a8f4e0544f950435495d20b0cf1#commentform
Quote:
Turns out there is a bug in the ChoiceBox – JIRA RT-26837 I talk about on the JavaFX2 Forum. It got the attention of Jonathan Giles at Oracle, and he escalated the fix, but it won’t be out until Java8 is released.
Context: There are still a lot of bugs that will keep you from success on mac!