Java vulnerability for 1.7.10 and below

CarlosColón-Maldonado · ‎01-22-2013

Hi,

A new critical vulnerability has been discovered in Java 1.7.x, and the Federal Goverment has mandated the removal of all versions of Java 1.7.10 and earlier, and the installation of 1.7.11 to circumvent this issue. The latest ArcGIS Runtime for Java 10.1.1 only supports Java Development Kits 6 update 37 through 7 update 9. Since the latest version of ArcGIS Runtime for Java just got released, what is ESRI's resolution?

I've personally tested the installation and ran most samples provided with no seamingly known misbehavior against JRE 1.7.11, but my test is obviously not all-inclusive.

Regards,

Carlos

MarkBaird · ‎01-23-2013

The statement "supports Java Development Kits 6 update 37 through 7 update 9" should probably be reworded slightly.

To explain why we state these JRE/ JDK versions, when we test a new release we take the latest available versions of Java 6 and 7 and certify against those versions. 10.1.1 was certified against 6u37 and 7u9. These were the most up to date versions at the time we were testing late last year.

New releases of Java come out all the time to fix bugs and plug security holes and theoreticaly this should not cause a problem with the Runtime. I can't however guarantee that a new Java bug or security issue has been introduced in their latest release which may affect Runtime functionality.

I'm also using 7u11 and so far I've not seen any issues.

I hope this helps.

Mark

View solution in original post

MarkBaird · ‎01-23-2013

The statement "supports Java Development Kits 6 update 37 through 7 update 9" should probably be reworded slightly.

To explain why we state these JRE/ JDK versions, when we test a new release we take the latest available versions of Java 6 and 7 and certify against those versions. 10.1.1 was certified against 6u37 and 7u9. These were the most up to date versions at the time we were testing late last year.

New releases of Java come out all the time to fix bugs and plug security holes and theoreticaly this should not cause a problem with the Runtime. I can't however guarantee that a new Java bug or security issue has been introduced in their latest release which may affect Runtime functionality.

I'm also using 7u11 and so far I've not seen any issues.

I hope this helps.

Mark

CarlosColón-Maldonado · ‎01-23-2013

Thanks for replying, Mark.

While aware of any Java-supported vendor's inability to guarantee compatibility with future JRE updates, as a customer, I would think that support of any potential software issues with them ought to be granted by the vendor. While it has not being my experience so far in the case with ESRI, I merely wanted to confirm the software requirements statement.

I'm glad to see the effort made to ensure JRE compliance and compatibility.

KenSanders · ‎12-18-2013

One of my developers believes that Java 6 is embedded in the ArcGIS software. I've not heard that, before. So, I thought I would come to the source to find out the truth of it all. Has anyone heard that? I am attempting to verify the vulnerabilities pertaining to Java 6, since it has not been supported for some time. Please let me know if this is accurate.

CarlosColón-Maldonado · ‎12-18-2013

I have not noticed the embedding of an earlier Java Runtime Environment libraries on any of all Runtime installations (though it seems strange that Java is not listed as required software in the system requirements for 10.2). An easy way to test that theory is to remove all Java deployments from the box to see if the samples will work, but I doubt it. I am using ONLY Java version 1.7.0.17-b02 and have no issues with it.

MarkBaird · ‎12-18-2013

The jar files in the ArcGISRuntime are compiled against 6u45. This is how we can support Java 6 and Java 7.

Our plan is to support Java 6 for one more version (which is due to be released early next year).

After that the product will be compiled using Java 7 and we will support Java 8 (if it is released).

Mark