Java exploit information

The recent highly publicized Java exploit has produced much concern and confusion.

The exploit only affects updates of Oracle Java 7 before Update 11.  Java 6 is not vulnerable to this exploit, and neither is Java 7 Update 11 (and, presumably, future, later versions).

All major web browsers have taken it upon themselves to block the loading of any vulnerable versions of the Java plug-in.  Some things of note that might be affected at Wesleyan are:

  • The multiple-upload feature of Wesfiles may not be available.
  • The automatic installer for Cisco AnyConnect VPN software that is  available at <https://webvpn.wesleyan.edu> may not work at all.
  • A workaround is to download and install the software directly as the client itself does *not* rely on Java in any way,  only the web-based self-installer.

Things to do:

  • Nothing if you do not have Java 7 installed; many Wesleyan-owned computers have Java 6, as much Java software is still incompatible with Java 7.  To find out what Java version you have go here and make sure you click Allow when the browser asks you to enable Java to run the test.
  • Regardless of Java version, you can download the latest version of Java 6 and/or Java 7 and install it.

If the browser has blocked a previous, insecure version of the Java plug-in, it should automatically re-enable it upon detecting the new, safe version.  You can test the function of the Java plug-in here:  https://www.java.com/en/download/installed.jsp

If the browser seems to still have disabled it, see the following page for instructions on how to re-enable it:  https://www.java.com/en/download/help/enable_browser.xml

Note that “Java 7” is the same thing as “Java 1.7” or “JRE 1.7”, and “Java 6” is the same thing as “Java 1.6” or “JRE 1.6”.   Java installers or error messages will occasionally refer to themselves using the “1.*” nomenclature.