Architecting, installing and maintaining your SAS environment

Java Vulnerabilities

Accepted Solution Solved
Reply
Occasional Contributor
Posts: 8
Accepted Solution

Java Vulnerabilities

When the recommended Java installation option is used with SAS, does SAS install the browser plugin/component of Java, or is this a special "localized" version of Java only utilized by SAS?

I'm not sure if this is correct, but it seems like Java vulnerabilities are only exploitable when Java is enabled in a browser.

I ask because we are currently required to keep Java updated on SAS workstations, but this doesn't seem necessary if the SAS version of Java isn't really open to Java vulnerabilities (since it's not interfacing with the internet).

Any help would be appreciated.  Thanks!


Accepted Solutions
Solution
‎10-21-2013 09:57 AM
SAS Employee
Posts: 102

Re: Java Vulnerabilities

Note that the answer is actually different for 9.3 and 9.4.  For 9.3, SAS ships a standard JRE install which does indeed include the browser plug-in.  For 9.4, SAS uses a private JRE which does not install the browser plug-in and does not impact other applications on the system.

View solution in original post


All Replies
Trusted Advisor
Posts: 3,212

Re: Java Vulnerabilities

The standard SAS installation on a desktop will try to replace the default java installation.
This approach will lock you in to be dependent of the browser/default version.

Knowing that it is better to define a localized java version by yourself and use that as the SAS version.

The advice is to install that SAS-JPRE, private java versions(s) on a local drive.
Once I got different behavior when it was installed on a network-drive or a local-drive as something with locking the log-files and more.

The SAS-code that will use this Java-run time can be placed on network drives. The ini-files are having the options/settings and there are no windows-registry or dll's involved. You could use a copy-deploy approach.  The more difficult clients are Eguide Amo and SAS/base as they are for more integrating into Windows.   

For fun after 9.3 the encoding of the JAVA environment is used in SAS not of the used OS.

---->-- ja karman --<-----
Occasional Contributor
Posts: 8

Re: Java Vulnerabilities

Thanks for your comments, however, I'm not sure they answered my questions.

To reiterate,

I want to know if allowing SAS to install Java means the browser component of Java will also be installed. If not, is that system still open to Java vulnerabilities?

Trusted Advisor
Posts: 3,212

Re: Java Vulnerabilities

Blashmet.

To repeat:

If you only type setup and say yes to all the defaults it will also do the browser (standard java install).

a/ You will be vulnerable by the browser by that java version

b/ you change/update process is introducing a dependicy. Some updates of java may be hurt SAS processing.

Change te installations approach you do not use that combined approach.

Do not use the same java-vm for the browser and SAS. So:

a/ you can still disable/not run java in the browser or use a dedicated verfied version for that. You will not be vulnerable at that part.

b/ run the SAS system with JAVA in a well secure OS security setting. No

    matter how buggy java is it will not get out of that OS isolation level of your user /ssytem processes.  (do not run them root level)

The browser vulnerablilty is caused by braking barriers of outer/world - inner world.

That is a non-existent situation when running SAS as it is only the innner-world,      

---->-- ja karman --<-----
Solution
‎10-21-2013 09:57 AM
SAS Employee
Posts: 102

Re: Java Vulnerabilities

Note that the answer is actually different for 9.3 and 9.4.  For 9.3, SAS ships a standard JRE install which does indeed include the browser plug-in.  For 9.4, SAS uses a private JRE which does not install the browser plug-in and does not impact other applications on the system.

Trusted Advisor
Posts: 3,212

Re: Java Vulnerabilities

Thanks mark, that is indeed an improvement asm it is avoiding the default Oracle Java-installation procedure.
There are more challenges like:

-  the .Net security and manifest file being abandoned by Microsoft.

- Vritualisation issues as of CCM (former Soft-Grid) with the default smaller machine setups as of VDI

- The reference file to a webserver with EMiner as part of the clientsoftware not the client configuration

- ...

Any improvements / "what is new" on those parts? 

I Could not resist to ask this because there a lot of issues getting SAS installations aligned according common IT governance policies.

---->-- ja karman --<-----
Occasional Contributor
Posts: 8

Re: Java Vulnerabilities

Is there a way to use a "private" version of Java with SAS 9.3? Is there a way to simply delete the browser plugin?

SAS Employee
Posts: 102

Re: Java Vulnerabilities

SAS 9.3 relies on a public JRE, either the one included in your order or one which is preinstalled on your system.  You'll need to consult your public JRE supplier if you're looking for a way to delete the browser plugin.  The last I explored this, Oracle recommended you disable the plugin via disabling Java in the browser interface rather than supplying a way to avoid installing it in the first place.

Super Contributor
Posts: 273

Re: Java Vulnerabilities

Last week, i have observed that with the update of Java 1.7.0.45

this security update was destroying every other java directory inside

c:\Programs Files\Java

so the version of 9.3.2 32bits  were touched by this as at origin where you were

accepting the install of Sas the 1.6.0.24 was installed by defaut in

the directory where oracle is now purging anything else the jre7

the consequence was no graphics inside SAs and a

ERROR: The Java proxy is not responding.
ERROR: The Java proxy's JNI call to start the VM failed.
ERROR: Java failed to start during the SAS startup.

the by pass i have found is to correct

all the sasv9.cfg

For 9.3.2, the urgency by pass consist perhaps in modifying the config files (case windows 7 32 bits sas 9.3.2 32 bits)

-Dsas.jre.libjvm=C:\PROGRA~1\Java\JRE7\bin\client\jvm.dll

and the sassw.config and wrapper.conf files with the new location of the 32bits java

\java\JRE7\

Andre

Super Contributor
Posts: 273

Re: Java Vulnerabilities

I must add that this morning 24 october, the oracle update 1.0.7.45 was not more uninstalling the 1.0.6.24

so the maintenanceof a bundle of  individual windows install  is now easier than last week

Andre

Trusted Advisor
Posts: 3,212

Re: Java Vulnerabilities

Andre, That behavior with all errors is "as expected" in the way I have described before.
You just changed the java version inside base/Foundation.
When other clients are involved (amo 9.3 and up) DI studio SMC  you could have same unpredictable results by java updates.

The ini files of these clients  combined to a wrapper are having the location of the java.  

A JPRE is a simple copy of an existing JAVA version to an other location. That is as easy to create by  yourself.

Having the Original needed java version somewhere you can extract/isolate that with no hard work.

---->-- ja karman --<-----
Occasional Contributor
Posts: 8

Re: Java Vulnerabilities

Does this mean one can create a JPRE and copy it from machine to machine without installing the browser plugin? For example, one just copies the Java folder and points SAS to it?

Trusted Advisor
Posts: 3,212

Re: Java Vulnerabilities

Blashmet, Yes copying it is as easy that way that is JVM (JPRE) behavior.

.

---->-- ja karman --<-----
Occasional Contributor
Posts: 8

Re: Java Vulnerabilities

How does one create a JPRE without installing the broswer plugin? Do I copy the folder C:\Program Files (x86)\Java from a machine where I ran the installer to the new machine with SAS, and then point the SAS config files to it?

On another note, since it seems like SAS has the capability of connecting to the internet (see here), don't we still have to worry about Java vulnerabilities even if an old version of Java is in use by SAS and the browser plugin is not installed?

Trusted Advisor
Posts: 3,212

Re: Java Vulnerabilities

When you go to: C:\Program Files\Java\jre7\bin  you will find the exe files SAS is referring to in their config / ini files (java run-time).

The welcome-html file is telling it has a run-time and a browser plugin. The browser plugin is working/found by windows registry settings.     

Indeed just copy the jvm to another location will give you a usable JVM without touching windows registry.

If you do not have installed the browser plug of java it won't get touched by malicious webpages.

What is not there, cannot harm you. Do you need to use java for one strange reason you can do the updates as needed for the browser.

Having an isolated SAS java version you can delete all other old versions, so everyone must be convinced it is a safe situation.

You could find a java version in the %sashome% location (installation 9.3)  as many clients are using a dedicted java (encoding part) version.

---->-- ja karman --<-----
🔒 This topic is solved and locked.

Need further help from the community? Please ask a new question.

Discussion stats
  • 20 replies
  • 2353 views
  • 6 likes
  • 4 in conversation