Java users can verify their computer system’s Java version on this page. Affected by the security vulnerabilities are all JDK and JRE 7, and JDK and JRE Update 27 and earlier versions.

The risk matrix highlights each individual patch, the affected components, attack vectors and scores.

End users can make use of the automatic updating routine or download the new Java versions directly from the Oracle website. Windows users can check manually for updates from the Java Control Panel applet. They need to switch to the Update tab of the applet and click on the Update Now button there to run an update check and install the update on the system.

Users running the Java Runtime Environment 6 (who want to stay on 6 and not switch to 7) can download the JRE 6 Update 29 from this page. The new version is available for all supported operating systems. Windows users can download online or offline installers of the JRE.

Users who are already running the Java Runtime Environment 7 can download the new version that brings their version to JRE 7 Update 1 here.

Developers can download the Java Development Kit 7 Update 1 from the Java SE Downloads page. Additional developer related downloads are provided on that page as well.

Oracle classifies the patch update as critical. Users running either the JDK or JRE on their computer system should update the systems as quickly as possible to protect their operating systems from potential attacks and exploits.

Oracle notes that 19 of the 20 vulnerabilities can be remotely exploited without the need for authentication. System administrators who need more information should start with the official patch update advisory linked above. It includes temporary workaround suggestions that may mitigate potential attacks on computer systems.

The JRE is needed to execute Java applications on the local system and in the web browser. I use it for instance for the excellent RSS reader RSSOwl.

The JDK, Java Development Kit, has also been released as version 7.0 Final. The Java SE 7 Features and Enhancements page lists the highlights, changes and known issues. The page, which acts as the release notes, is highly technical. It links to additional pages with the most important changes in the new release, which makes it that much harder to compile an overview of important changes.

Probably most important from an end users point of view are security improvements and changes. Some weak ciphers have for instance been disabled in the Java 7 release to enhance the security.

This release includes new features such as small language changes for improved developer productivity, a new Filesystem API, support for asynchronous I/O, a new fork/join framework for multicore performance, improved support for dynamic and script languages, updates to security, internationalization and web standards and much more.

Java developers find all the information they need in the release notes and documentation. This includes updated installation and troubleshooting guides as well as JDK 7 and JRE 7 specific development guides and API documentations.

The Java Runtime Environment 7 has been released for all supported operating systems. Users can download the JRE 7 for supported 32-bit and 64-bit editions of Windows, Solaris and Linux from the official download page.

The Java offline installers have a size of about 20 Megabytes under Windows, and between 12 and 35 Megabytes under Linux and Solaris.

Developers can download the latest Java SE Development Kit 7 from Oracle as well. JDK 7 is offered for the same set of operating systems. It’s download size varies between 80 and 160 Megabytes.

Oracle today released the critical patch update Java 6 Update 24 to the public. The update fixes several critical vulnerabilities including the previously discovered vulnerability that causes hangs when parsing strings like “2.2250738585072012e-308″ to binary floating point numbers.

The risk matrix shows lists all 21 security fixes included in the update with information about the versions of Java affected, the access vector and if they are remotely exploitable.

Out of these 21 vulnerabilities, 13 affect Java client deployments. 12 of these 13 vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, which run in the Java sandbox with limited privileges. One of these 13 vulnerabilities can be exploited by running a standalone application.

In addition, one of the client vulnerability affects Java Update, a Windows-specific component.

3 of the 21 vulnerabilities affect client and server deployments. These vulnerabilities can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets, as well as be exploited by supplying malicious data to APIs in the specified components, such as, for example, through a web service.

3 vulnerabilities affect Java server deployments only. These vulnerabilities can be exploited by supplying malicious data to APIs in the specified Java components. Note that one of these vulnerabilities (CVE-2010-4476) was the subject of a Security Alert released on February 8th.

Finally, one of these vulnerabilities is specific to Java DB, a component in the Java JDK, but not included in the Java Runtime Environment (JRE).

(via)

System administrators and users who have Java installed, either in the form of the Java Runtime Environment (JRE) or the Java Development Kit (JDK) should update the software as soon as possible to protect their systems from possible exploits.

Users who have applied the manual command line patch need to uninstall Java before they can install the new updated version.

The vulnerability is triggered when 2.2250738585072012e-308 is converted to a binary floating number. It can be exploited to allow unauthenticated network attacks which can “cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment”. Oracle notes that “Java based application and web servers are especially at risk from this vulnerability”.

The Java SE Floating Point Updater Tool has been created to “address the hang that occurs when parsing strings like “2.2250738585072012e-308″ to a binary floating point number”. The file is offered for download at this page. It is best to unpack the file directly into the /bin/ directory of the Java installation since it is necessary to run a command from the command prompt that references that file.

Windows users need to open an elevated command prompt and switch to the directory of their Java installation. The directory is located in the program files directory, in the case of a 64-bit operating system in the program files (x86) directory. The full path on my Windows 7 64-bit test system is C:\Program Files (x86)\Java\jre6\bin.

The command that needs to be entered is java -jar fpupdater.jar -u -v. The path of fpupdater.jar needs to be added if the file is not in the same directory as the java executable. The command assumes that the user is in the bin directory mentioned above. The path needs to be added to the command as well if that is not the case.

It can take up to two minutes before the patch is fully applied to the JRE or JDK. It is necessary to run the patch against any instance of JAVA on the system, for instance if the JDK with JRE and a standalone JRE are installed on the system.

The program should display that the patch was applied successfully in the end. Another indication are two files that are placed inside the lib folder by the application.

/lib/rt.jar.fpupdater Copy of rt.jar before the fix.
/lib/.fpupdater.log Zero-length file indicating that the update has taken

Users who have Java installed should patch the vulnerability as soon as possible. (thanks Dante for the tip, via)

The Update release notes list the full external version as 1.6.0_22-b04, and the external version as 6u22. It lists a total of 16 different bugs that have been fixed in the update.

• 6897143 – hotspot – garbage_collector – Stress test crashes during HeapInspection using ParallelGC
• 6919638 – hotspot – garbage_collector – CMS: ExplicitGCInvokesConcurrent misinteracts with gc locker
  6837842 hotspot jni JNI_CreateJavaVM crashes under impersonation
• 6948223 – idl – orb – Corba issue, fail to reload object
• 6969236 – java build – Regression: JRE identification fails due to Oracle rebranding in java.exe
• 6893325 – java – classes_awt – JComboBox and dragging to an item outside the bounds of the containing JFrame is not selecting that
• 6974093 – java – classes_lang – Thread.clone should NOT invoke addUnstarted on started threads
• 6959911 – java – classes_security -Update Entrust.net CA (2048) root and add new Entrust Root CA-G2
• 6725789 – java – classes_util_concurrent – ScheduledExecutorService does not work as expected in jdk7/6/5
• 6547241 – java – imageio – JPEGImageReader.readImage crash
• 6557086 – java – imageio – Attempt to dispose jpeg reader form another thread may cause crash
• 6944981 – java_deployment – general – Name field missing in mix code security warning dialog for Java Webstart application
• 6869937 – java_plugin – plugin2 – New Plugin – Vista&XP Focus never returned to browser
• 6846148 – jaxb-xsd – runtime – Namespace gets lost for null scope while using RetQName
• 6946312 – jaxp – sax – XML parser omits characters callback to ContentHandler since 6u18
• 6957378 – jmx – classes – JMX memory leak

Users who have Java installed should download it as soon as possible from the official website. A script on the site will detect the installed Java version, and display a download link if the installed version is not the latest. The release notes are accessible here.

But Ghacks readers know more, downloads for the Java Runtime Environment and Java SDK are already enabled in the Sun Download Center.

Users who work with the JRE can download the latest version from this download center page. The software is available for Windows, Linux and Solaris.

java 6 update 21

The Java Developer Toolkit has also been updated and can be downloaded from this page instead. It raises the version to 6 Update 21 as well and is available for the same platforms.

The release notes list the changes in the Java Update. Among the new features is support for additional system configurations including Google Chrome 4, performance improvements in Java VisualVM and at least one security fix. Developers and interested users can take a closer look at all the bugfixes of Java 6 Update 21 on this web page.

The security issue that has been fixed in this update makes it a recommended update for every user who has Java installed on a computer system.

The changelog lists all the bug fixes of the latest version including changes to root certificates, an interim fix for the Transport Layer Security (TLS) Man-in-the-Middle Attack and the raising of a warning dialog if a signed application contains signed and unsigned components.

All the changes and fixes including links to further information can be accessed at the changelog page.

Users can visit the JRE download page to test their version of the Java Runtime Environment to evaluate if an update is necessary.

Users with outdated versions of the JRE can download it immediately from the download page for their operating system. The Java Runtime Environment is offered as an offline and online installer for Windows on the standard download page.

It is recommended to check the verify Java page again after the update to make sure it was applied successfully.

A total of 13 security vulnerabilities are fixed by the Java update. Attackers can use those vulnerabilities for various attacks on a computer system that can lead to privilege escalations.

Probably the easiest way to uninstall old versions of Java and to install the latest secure update is by using the third party software Java RA. Java RA can uninstall old versions of Java. Users should download the latest JRE directly from Sun and install it on their systems. Java Ra should be run after the installation as it will remove all old versions of Java while keeping the latest version installed.

List of vulnerabilities:

• The Java Runtime Environment Creates Temporary Files That Have “Guessable” File Names
• Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing Image Files and Fonts

May

• Allow Applets or Java Web Start Applications to Elevate Their Privileges
• Multiple Security Vulnerabilities in Java Web Start and Java Plug-in May Allow Privilege Escalation
• The Java Runtime Environment (JRE) “Java Update” Mechanism Does Not Check the Digital Signature of the JRE that it Downloads
• A Buffer Overflow Vulnerability in the Java Runtime Environment (JRE) May Allow Privileges to be Escalated
• A Security Vulnerability in the Java Runtime Environment (JRE) Related to Deserializing Calendar Objects May Allow Privileges to be Escalated
• The Java Runtime Environment UTF-8 Decoder May Allow Multiple Representations of UTF-8 Input
• Security Vulnerability in Java Runtime Environment May Allow Applets to List the Contents of the Current User’s Home Directory
• Security Vulnerability in the Java Runtime Environment With Processing RSA Public Keys
• A Security Vulnerability in Java Runtime Environment (JRE) With Authenticating Users Through Kerberos May Lead to a Denial of Service (DoS)
• Security Vulnerabilities in the Java Runtime Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to be Escalated
• A Security Vulnerability in Java Runtime Environment (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary Memory Locations
• A Security Vulnerability in the Java Runtime Environment may Allow Code Loaded From the Local Filesystem to Access LocalHost

Users who cannot install the Java update immediately should disable Java for the time being to protect their computer system from the exploits.

Four different versions of the Java Runtime Environment were installed on my system and JavaRa removed the three versions of JRE that were the oldest from the system. I started by scanning my system for old versions of Java which were removed, then checked if there was a Java update available. I should have done it the other way round because an update was found and a new version of Java was installed on my system.

Which led to the fact that the previously newest version was not the newest anymore so I had to run the cleanup process again to remove that version. The best way to use the application is therefor to run the Update first and check for old versions once the software has checked for and installed possible updates.