Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Java Development Kit incompatibility

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Oracle Corporation
And, this specific program:
Oracle Java JDK 1.7.x / 7.x

This thread has been marked as locked.
progan01 Java Development Kit incompatibility
Member 12th Sep, 2012 15:00
Ranking: 0
Posts: 20
User Since: 25th Oct, 2010
System Score: N/A
Location: US
Three weeks ago PSI informed me that I had multiple outmoded instances of the Java Development Kit (jdk) running on my computer that required manual update. Not seeing a reason for having the prior versions, and having checked for the proper removal process, I simply deleted them using the Windows Uninstaller.

While this pleased my copy of PSI, the removal degraded the performance of several other software packages, including LibreOffice 3.X, which I was forced to reinstall.

Two days ago PSI informed me that the very same jdk components I had uninstalled had been reinstalled and needed manual updating again. This was a week after I reinstalled LibreOffice so I do not think the two related.

The prior versions PSI informs me I must manually install are:

C:\Program Files (x86)\Java\jdk1.7.0_5\bin\javac.exe installed version 7.0.50.5
C:\Program Files (x86)\Java\jdk1.7.0_3\bin\javac.exe installed version 7.0.30.5
C:\Program Files (x86)\Java\jdk1.7.0_2\bin\javac.exe installed version 7.0.20.13

What do I need to do to proceed here? Something on my machine requires JDK prior versions and it would seem can reinstall them on its own. Do I simply tell PSI to ignore JDK, go through the same removal-degradation-reinstallation-re-JDK cycle again, or something else? Guidance is appreciated.

I have a homebuilt system running Windows 7 Professional 64-bit SP1, with an ASUS M4A89TD PRO/USB3 motherboard with an AMD Phenom II X6 1100T processor running at 3.3 GHz, an NVIDIA GTX 570 video card, 16 GB of RAM, and a 500 Gb C: drive.

E.Jeppesen RE: Java Development Kit incompatibility
Secunia Official 13th Sep, 2012 12:56
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Last edited on 13th Sep, 2012 12:58
I cannot tell you what program on your computer is automatically reinstalling your Java Development Kit, perhaps someone else on the community can help?

You can of course decide to ignore the vulnerable versions of Java Development Kit by creating an Ignore Rule, but that decision is entirely up to you. The best option would probably be to actually solve the issue and have the vulnerable versions either updated or uninstalled. But if you uninstall them and they are automatically reinstalled on your computer, you need to figure out how that is happening.
Anthony Wells RE: Java Development Kit incompatibility
Expert Contributor 13th Sep, 2012 17:37
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi,

This may answer your problematic search for a culprit :-

http://www.libreoffice.org/get-help/faq/general-fa...

Same applies to OOo .

I suggest you disable Java plug-ins in all your browsers and let Libre Office pick up Java as it needs it ; there may well still be a risk if you download "infected" files but then again that is always potentially dangerous .

Hope that nelps .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
progan01 RE: Java Development Kit incompatibility
Member 13th Sep, 2012 18:15
Score: 0
Posts: 20
User Since: 25th Oct 2010
System Score: N/A
Location: US
Anthony, thank you. Installing JDK originally was a risk but there is Java functionality found there that does not exist elsewhere. I am already running NoScript for Firefox and disabled all plug-in functionality for IE10 four days ago. So I do not believe I am vulnerable.

I would much rather leave Java functionality with my browsers and let LibreOffice inform me when it can't perform because it needs older Java to function. But there seems to be no way to simply turn it off for the suite as a whole; I must simply try features until it tells me it can't run. Or, as seems the case at present, run it with the older versions and keep scanning for corruption or infection. If in fact LibreOffice is reinstalling older JDK components at need, silently, I don't see another way to proceed. This is production software, indispensable at the moment.

In the meantime, I have also had to upgrade some of my security features, including two programs that monitor for updates and alert me that it's time to upgrade. C|Net's TechTracker has been behaving oddly, and ZoneAlarm was showing signs of instability so I replaced it entirely with a different product. I am not sure either of these procedures had any bearing on my situation.

Either way I don't seem to have an active path forward from here. I'm not willing to disable notices on older versions of JDK because the process by which this software came onto my system after removal remains a mystery, and a vulnerability. I can't dispense with LibreOffice. I still need to identify the culprit here if it is not LibreOffice. Could either TechTracker or ZoneAlarm Free Firewall be responsible? System Explorer 3.9.5? MSXML 4.0? Adobe AIR? Shockwave? JRE 7v7? These are the only updates I have installed since the problem surfaced. Or could an older installation be responsible? My records go back farther than this.

I still require assistance, it seems. Thanks for your help, but I must understand the first cause here.
Was this reply relevant?
+0
-0
progan01 RE: Java Development Kit incompatibility
Member 17th Sep, 2012 09:14
Score: 0
Posts: 20
User Since: 25th Oct 2010
System Score: N/A
Location: US
Let me be more specific:

What sort of applications would have the capability of installing prior versions of the Java Development Kit, or else cause Windows 7 Professional to restore them after deletion?

Is LibreOffice the culprit? Their single page on their FAQ does not indicate one way or the other.

Is there functionality in any antivirus package that is known to restore deleted obsolescent JDK files? Any browser?

Does anybody have any idea why these deleted old JDK versions would resurrect themselves on my machine?

The issue remains that these older files were deleted, remained deleted for about two weeks, and then reappeared, prompting the PSI alert. I can't just keep erasing them, nor does it seem wise to disable the warning without knowing how these files reappear. I don't know that they aren't being re-downloaded by something on my PC. I need to find out what might be doing that and how to counter it.

As it stands, my machine is vulnerable twice over -- once from the old JDK components, and the second by whatever mechanism is putting them back after I remove them. Does anybody have any idea at all? This is an open and continuing critical vulnerability for me.

---->P!
Was this reply relevant?
+0
-0
Anthony Wells RE: Java Development Kit incompatibility
Expert Contributor 18th Sep, 2012 21:09
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi again ,

As no-one else is offering anything atm , let me add that I use Open Office version A000 3.4.1 from Apache in Eng-UK . It uses JRE 7 update 7 for all my needs .

A (very) old version of OOo (pre Libre) used to need an out of date version of Java ; when I complained , a very senior Sun and OOo person said that he could not do anything then but that my "secure browsing" methods were far more important than an old version of Java .. Since then , Oracle has appeared and Java is ever more targeted and his response is more/less questionable .

Even with NoScript loaded in Ff , i would tend to disabling the Ff Java plug-in . Since my Bank's website dropped Java , then the Secunia OSI website is the only one that I use that needs Java .

Bearing in mind that I am non-techie , it would appear that OOo and probably LO only need need to work with JRE as such . Why not ask the LO community when , how , whatever do they use use Java and as JRE or JDK .

None of the other programmes you mention are likely to need or use Java and with a further need to bownload JDK .

You say "This is production software, indispensable at the moment." If that means you are doing dev work with a third party or their software it is more likely they who require JDK .

To get to the bottom of things then you need to do your own research ;
you will also need to use logic and a step by step analysis .

You do not say which version of PSI you are using but for ease of research I would load 2.0.0.3003 (the link is is any Maurice Joyce post (signature)) and select "auto-update" and "prompt" in "settings" ; then , if I were you , I woukd uninstall all JDK references ubtil the PSI shows you "clean/without JDK" after a full scan : continue to work as normal and keep a detailed record of your doings : run a full PSI scan as often as possible , at least daily , and see when JDK pops in . That should narrow things down a bit .

I do not use W7 either , but I would assume download , surf history , etc., or some such would point things up further .

Let us know your progress .

Take care

Anthony




--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
progan01 RE: Java Development Kit incompatibility
Member 19th Sep, 2012 02:16
Score: 0
Posts: 20
User Since: 25th Oct 2010
System Score: N/A
Location: US
Anthony;

Thanks for the feedback.

I appreciate your effort but I am not moving forward. My problem is not with OpenOffice and I have yet to see proof that LibreOffice is the culprit either. The problem program that keeps popping up and cannot be outdated are prior updates to the Java Development Kit 1.7x-7.x. Not the Java Runtime Environment.

I am running PSI 3.0, and keep it updated.

Since Java runs in the background, and is designed to handle transfers of information between my machine and the Net invisibly, my logs would not show any installation of JDK components after the initial installation. What I believe may be happening is that JDK is repairing itself, restoring those prior components it needs itself to run. But testing to find out if this is true will likely result in loss of productive, i.e., billable time and provide me no useful information. Essentially I would be removing JDK and seeing what can't run without it, whereupon I would install it again and face the same problems I am now. Not a productive use of my time.

At least one site that uses it is a US government site that does not itself stay updated with Java releases, so it typically lags my system. Presently this site is not entirely usable due to their lack of updates, but this is a non-production site for me so I haven't investigated the site further.

It sounds like I must go to the Oracle user base and see if anybody has said anything more useful about it since the day before yesterday.

This remains a critical vulnerability for me with an identified cause. At present the only remedy would appear to be removal of all versions of the Java Development Kit. I know people are big on being down on Java recently but this approach strikes me as a bit nihilist. I need working technology, not a strategic retreat from the unknown. I demand better.

---->P!
Was this reply relevant?
+0
-0
Anthony Wells RE: Java Development Kit incompatibility
Expert Contributor 19th Sep, 2012 16:58
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
on 19th Sep, 2012 02:16, progan01 wrote:
Anthony;

Thanks for the feedback.

I appreciate your effort but I am not moving forward. My problem is not with OpenOffice and I have yet to see proof that LibreOffice is the culprit either. The problem program that keeps popping up and cannot be outdated are prior updates to the Java Development Kit 1.7x-7.x. Not the Java Runtime Environment.


I am aware your problem is with Libre and not Open Office and JDK and not JRE ; my "usage" comments were for background

(unknown source)
I am running PSI 3.0, and keep it updated.


I confirm that version 2.0.0.3003 may give a better "access/visibility" to the problem .

(unknown source)
Since Java runs in the background, and is designed to handle transfers of information between my machine and the Net invisibly, my logs would not show any installation of JDK components after the initial installation. What I believe may be happening is that JDK is repairing itself, restoring those prior components it needs itself to run. But testing to find out if this is true will likely result in loss of productive, i.e., billable time and provide me no useful information. Essentially I would be removing JDK and seeing what can't run without it, whereupon I would install it again and face the same problems I am now. Not a productive use of my time.


Then just remove the "old/insecure" versions of JDK and then PSI will display (after a scan) if and more or less when the old versions are installed . Then you will need to reconstruct what you were doing at the time span ; no-one else can second guess your situation .

(unknown source)
At least one site that uses it is a US government site that does not itself stay updated with Java releases, so it typically lags my system. Presently this site is not entirely usable due to their lack of updates, but this is a non-production site for me so I haven't investigated the site further.


Maybe you should .

(unknown source)
It sounds like I must go to the Oracle user base and see if anybody has said anything more useful about it since the day before yesterday.

This remains a critical vulnerability for me with an identified cause. At present the only remedy would appear to be removal of all versions of the Java Development Kit. I know people are big on being down on Java recently but this approach strikes me as a bit nihilist. I need working technology, not a strategic retreat from the unknown. I demand better.

---->P!


In the case of Java the old "I want never gets" saying is rather the case .
Do not have anything else to add .

Take care

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
progan01 RE: Java Development Kit incompatibility
Member 20th Sep, 2012 00:19
Score: 0
Posts: 20
User Since: 25th Oct 2010
System Score: N/A
Location: US
Anthony;

Well, now I'm moving backward. Why would a prior version of PSI be more useful than the most-recent version? What am I lacking? PSI 3.0 already identifies which particular files need 'manual' updating. I have already tried to remove them, as I stated in my original post, and they grew back.

My issue is that I do not understand how they grew back, where they came from, or what initiated their return. If it's LibreOffice there's the small detail of a week's delay between reinstallation of LO 3.6.1 and the reappearance of JDK prior versions.

It's all well and good for PSI to point out they're older, but there is no upgrade path -- they either came with JDK or were installed at a later point by other software on my machine. Removing them is futile if they simply come back, by whatever means.

Let me point out the obvious: If PSI doesn't understand the process by which obsolescent software gets reinstalled on my machine after removal, what is the value of pointing it out to me? The value of PSI declines if there is no understanding as to why, and whence, this software it identifies as old comes to be restored to my machine.

Your only advice to me is the path I took prior to coming to the Secunia PSI Community at all: I did in fact remove the older versions of JDK using the procedure Oracle identified. This caused LO 3.6.1 to fail, so I reinstalled it.... and a week later, the problem recurs.

What else must I do to make clear the problem? PSI identified old, presumably vulnerable versions of JDK. I removed them, restored my software, and a week later, PSI identifies the same prior versions back in place.

If Secunia has no answer here, and no one else seems to have the problem, then the community is not providing me what I need. If I have to find a solution on my own, I will, but I am in a production environment and I can only do such experimentation when I have no pressing duties. That could be some time.

So I have no recourse but to leave this thread open, without resolution, until such time, apparently, as I have time to provide my own answer.

You'll hear from me later.

---->P!
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability