The community will be in read-only from Monday 11:59pm (PT) to Wednesday 7:30am (PT)
The community will be in read-only from Monday 11:59pm (PT) to Wednesday 7:30am (PT)
Project and Portfolio Management Practitioners Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

Java Vulnerability and PPM

Highlighted
Toby Harvey
Super Collector

Java Vulnerability and PPM

This "new" vulnerability was released by AusCert (and other related CERT teams) last friday and basically suggests that there is a massive hole in the permissions management of all versions of Java 1.7. 

 

http://www.auscert.org.au/render.html?it=16829

 

This probably does not directly affect PPM but if organisations were to follow the recommendation they will be disabling Java in all browsers which would of course have a flow on effect to PPM (and alot of other apps).  Most clients I know of use Java 1.6 versions which appear to be unaffected.  Maybe some of you out there are using 1.7 and are considering what to do with this news?

 

 

Normally I wouldnt bring it up, but this has now hit the mainstream media so it will not only be the security teams that know about it, we may see/hear more chatter about this than usual due to the blunt nature of the "solution".

 

Has anyone in the community come across this issue or seen any responses to it that might have an effect on your installations?  I have not brought it up directly with HP as any permanent resolution really depends on Oracle and have not yet taken the time to asses what disabling Java in browsers would really mean for our PPM users - have you?

 

 

3 REPLIES
Jason Nichols K
Honored Contributor

Re: Java Vulnerability and PPM

Toby,

This will depend on what part of PPM your users are utilizing. If your users are using the Demand / Project Management part of PPM, then the users aren't directly using Java in their browsers. If they are using the Deployment Management functionality, or anything that uses Workbench, they they will be using Java from their browser and could have issue if they disable Java in the browser, but you still have the Launch from Desktop option to get around that.
Oscar_Pereira
Frequent Visitor

Re: Java Vulnerability and PPM

Hello Toby,

 

At this moment, PPM latest version is 9.1 SP4 0004 and it does not support Java 1.7   (It is not certified)

 

Any customer running JDK 1.7 for 9.1 SP4 0004 or any earlier releases will definitely experience issues but not because of these vulnerabilities, 1.7 is just not supported for these releases….and PPM code was made/compiled for 1.6 and not 1.7….PPM server cannot Start up under JDK 1.7   

 

We are adding the support for JDK 1.7 in the next mayor version release…  PPM 9.2

 

This version is currently in the QA cycle and is running on JDK 1.7 without issues.

 

There is no release date yet for 9.2

 

 

Oscar Pereira

Toby Harvey
Super Collector

Re: Java Vulnerability and PPM

Thanks guys,

 

Last night I took the time to disable as much of Java as I could in my own system and found that PPM was still running fine, even the workbench (both launch and launch from Desktop).  There is a new feature in Java 1.7 that allows you to turn it off more completely which could have allowed a more accurate test but I'm still using 1.6 so this does not apply ...

 

There is also now a patch available from Oracle for the hole so combining these two factors pretty well closes the potential issue.  Also note that I confirmed that the customer I am working with at present was not planning to take any action anyway :)

 

No worries at all!

 

 

//Add this to "OnDomLoad" event