topic Re: Java Vulnerabilities in Administration and Deployment

Java Vulnerabilities

blashmet — Fri, 18 Oct 2013 22:02:48 GMT

When the recommended Java installation option is used with SAS, does SAS install the browser plugin/component of Java, or is this a special "localized" version of Java only utilized by SAS?

I'm not sure if this is correct, but it seems like Java vulnerabilities are only exploitable when Java is enabled in a browser.

I ask because we are currently required to keep Java updated on SAS workstations, but this doesn't seem necessary if the SAS version of Java isn't really open to Java vulnerabilities (since it's not interfacing with the internet).

Any help would be appreciated. Thanks!

Re: Java Vulnerabilities

jakarman — Sat, 19 Oct 2013 15:51:34 GMT

The standard SAS installation on a desktop will try to replace the default java installation.
This approach will lock you in to be dependent of the browser/default version.

Knowing that it is better to define a localized java version by yourself and use that as the SAS version.

The advice is to install that SAS-JPRE, private java versions(s) on a local drive.
Once I got different behavior when it was installed on a network-drive or a local-drive as something with locking the log-files and more.

The SAS-code that will use this Java-run time can be placed on network drives. The ini-files are having the options/settings and there are no windows-registry or dll's involved. You could use a copy-deploy approach. The more difficult clients are Eguide Amo and SAS/base as they are for more integrating into Windows.

For fun after 9.3 the encoding of the JAVA environment is used in SAS not of the used OS.

Re: Java Vulnerabilities

blashmet — Sat, 19 Oct 2013 20:52:51 GMT

Thanks for your comments, however, I'm not sure they answered my questions.

To reiterate,

I want to know if allowing SAS to install Java means the browser component of Java will also be installed. If not, is that system still open to Java vulnerabilities?

Re: Java Vulnerabilities

jakarman — Sat, 19 Oct 2013 21:23:40 GMT

Blashmet.

To repeat:

If you only type setup and say yes to all the defaults it will also do the browser (standard java install).

a/ You will be vulnerable by the browser by that java version

b/ you change/update process is introducing a dependicy. Some updates of java may be hurt SAS processing.

Change te installations approach you do not use that combined approach.

Do not use the same java-vm for the browser and SAS. So:

a/ you can still disable/not run java in the browser or use a dedicated verfied version for that. You will not be vulnerable at that part.

b/ run the SAS system with JAVA in a well secure OS security setting. No

matter how buggy java is it will not get out of that OS isolation level of your user /ssytem processes. (do not run them root level)

The browser vulnerablilty is caused by braking barriers of outer/world - inner world.

That is a non-existent situation when running SAS as it is only the innner-world,

Re: Java Vulnerabilities

Mark_sas — Mon, 21 Oct 2013 13:57:30 GMT

Note that the answer is actually different for 9.3 and 9.4. For 9.3, SAS ships a standard JRE install which does indeed include the browser plug-in. For 9.4, SAS uses a private JRE which does not install the browser plug-in and does not impact other applications on the system.

Re: Java Vulnerabilities

jakarman — Mon, 21 Oct 2013 14:50:59 GMT

Thanks mark, that is indeed an improvement asm it is avoiding the default Oracle Java-installation procedure.
There are more challenges like:

- the .Net security and manifest file being abandoned by Microsoft.

- Vritualisation issues as of CCM (former Soft-Grid) with the default smaller machine setups as of VDI

- The reference file to a webserver with EMiner as part of the clientsoftware not the client configuration

- ...

Any improvements / "what is new" on those parts?

I Could not resist to ask this because there a lot of issues getting SAS installations aligned according common IT governance policies.

Re: Java Vulnerabilities

blashmet — Mon, 21 Oct 2013 22:42:35 GMT

Is there a way to use a "private" version of Java with SAS 9.3? Is there a way to simply delete the browser plugin?

Re: Java Vulnerabilities

Mark_sas — Tue, 22 Oct 2013 15:40:48 GMT

SAS 9.3 relies on a public JRE, either the one included in your order or one which is preinstalled on your system. You'll need to consult your public JRE supplier if you're looking for a way to delete the browser plugin. The last I explored this, Oracle recommended you disable the plugin via disabling Java in the browser interface rather than supplying a way to avoid installing it in the first place.

Re: Java Vulnerabilities

Andre — Wed, 23 Oct 2013 14:22:30 GMT

Last week, i have observed that with the update of Java 1.7.0.45

this security update was destroying every other java directory inside

c:\Programs Files\Java

so the version of 9.3.2 32bits were touched by this as at origin where you were

accepting the install of Sas the 1.6.0.24 was installed by defaut in

the directory where oracle is now purging anything else the jre7

the consequence was no graphics inside SAs and a

ERROR: The Java proxy is not responding.
ERROR: The Java proxy's JNI call to start the VM failed.
ERROR: Java failed to start during the SAS startup.

the by pass i have found is to correct

all the sasv9.cfg

For 9.3.2, the urgency by pass consist perhaps in modifying the config files (case windows 7 32 bits sas 9.3.2 32 bits)

-Dsas.jre.libjvm=C:\PROGRA~1\Java\JRE7\bin\client\jvm.dll

and the sassw.config and wrapper.conf files with the new location of the 32bits java

\java\JRE7\

Andre

Re: Java Vulnerabilities

jakarman — Wed, 23 Oct 2013 17:43:27 GMT

Andre, That behavior with all errors is "as expected" in the way I have described before.
You just changed the java version inside base/Foundation.
When other clients are involved (amo 9.3 and up) DI studio SMC you could have same unpredictable results by java updates.

The ini files of these clients combined to a wrapper are having the location of the java.

A JPRE is a simple copy of an existing JAVA version to an other location. That is as easy to create by yourself.

Having the Original needed java version somewhere you can extract/isolate that with no hard work.

Re: Java Vulnerabilities

blashmet — Wed, 23 Oct 2013 22:29:35 GMT

Does this mean one can create a JPRE and copy it from machine to machine without installing the browser plugin? For example, one just copies the Java folder and points SAS to it?

Re: Java Vulnerabilities

Andre — Thu, 24 Oct 2013 09:20:26 GMT

I must add that this morning 24 october, the oracle update 1.0.7.45 was not more uninstalling the 1.0.6.24

so the maintenanceof a bundle of individual windows install is now easier than last week

Andre

Re: Java Vulnerabilities

jakarman — Thu, 24 Oct 2013 16:47:13 GMT

Blashmet, Yes copying it is as easy that way that is JVM (JPRE) behavior.

Re: Java Vulnerabilities

blashmet — Thu, 24 Oct 2013 16:57:46 GMT

How does one create a JPRE without installing the broswer plugin? Do I copy the folder C:\Program Files (x86)\Java from a machine where I ran the installer to the new machine with SAS, and then point the SAS config files to it?

On another note, since it seems like SAS has the capability of connecting to the internet (see here), don't we still have to worry about Java vulnerabilities even if an old version of Java is in use by SAS and the browser plugin is not installed?

Re: Java Vulnerabilities

jakarman — Thu, 24 Oct 2013 17:43:16 GMT

When you go to: C:\Program Files\Java\jre7\bin you will find the exe files SAS is referring to in their config / ini files (java run-time).

The welcome-html file is telling it has a run-time and a browser plugin. The browser plugin is working/found by windows registry settings.

Indeed just copy the jvm to another location will give you a usable JVM without touching windows registry.

If you do not have installed the browser plug of java it won't get touched by malicious webpages.

What is not there, cannot harm you. Do you need to use java for one strange reason you can do the updates as needed for the browser.

Having an isolated SAS java version you can delete all other old versions, so everyone must be convinced it is a safe situation.

You could find a java version in the %sashome% location (installation 9.3) as many clients are using a dedicted java (encoding part) version.

Re: Java Vulnerabilities

blashmet — Thu, 24 Oct 2013 18:00:26 GMT

Is there a registry file I can run that would disable the browser plugin?

Re: Java Vulnerabilities

jakarman — Thu, 24 Oct 2013 18:20:35 GMT

How do I disable Java in my web browser? (oracle java link) en Why should I uninstall older versions of Java from my system?
This is going to get a little bit to the edge of the area I am moving arround. I needed this all for the issue running SAS.

Re: Java Vulnerabilities

blashmet — Thu, 24 Oct 2013 20:21:35 GMT

I know how to disable Java through the control panel, but you mentioned that the browser plugin is enabled/disabled via the registry. Also, you mentioned that disabling the browser plugin makes one insusceptible to Java vulnerabilities. So I have two questions:

1) Is there a way to disable the Java browser plugin via a simple .reg file?

2) If the browser plugin is disabled for all versions of Java on the system, does one really need to uninstall the old versions?

Re: Java Vulnerabilities

jakarman — Fri, 25 Oct 2013 18:12:56 GMT

Blashmet, I do not know what you know about the Windows registry. It has a good name of doing automatization. It has a very bad name as buildng up a lot of a rubbish in it, very bad documented on all vaules an options. Changing names and locations by releases. This is life at the hard-core system level.
1/ Probably Oracle could deliver a reg file for disabling the java plugin, you should ask Larry.

2/ See the note to registry contents, you cannot really trust that. Unistalling is trying to clean that up. Do a research on your contents (regedit).

Re: Java Vulnerabilities

jakarman — Fri, 25 Oct 2013 18:16:27 GMT

[Solved] Java Plug-in 1.6.0_24 jp2iexp.dll. (plugin problems java install uninstall)