Re: Zero Day Error: Impact on CF?
As others have said it's not an actually issue, I could see some uninformed higher-ups being wary of any Java platforms, such as CF. As long as they have technical underlings who can mitigate their fears, it shouldn't be an issue. Scott On Wed, Jan 16, 2013 at 8:43 AM, Robert Harrison rob...@austin-williams.com wrote: Question is: Could this be the death of CF? CF has been tenuous for several years now, and given that the core system on which CF is built (Java) is now getting bad press, what do you think this means for the future of CF? -- - Scott Brady http://www.scottbrady.net/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353962 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Zero Day Error: Impact on CF?
I'd assume you've all been seeing the recent reports on Java. It's been officially announced by HomeLand Security that the zero day error and other problems are too deeply embedded in Java to fix with a patch. Their official recommendation is to remove Java from all machines. I know Oracle put out a patch for this, but reports are the patch is considered insufficient and the problems too close to the core to fix. Information Week has an article on recommending users scale back on use of Java, remove it wherever possible, and do no further Java development. For example, see: http://www.darkreading.com/database-security/167901020/security/news/240146361/the-death-of-java-in-the-enterprise.html?cid=nl_DR_daily_2013-01-16_htmlelq=4d908631d1b04069869fc003faf4e182 Question is: Could this be the death of CF? CF has been tenuous for several years now, and given that the core system on which CF is built (Java) is now getting bad press, what do you think this means for the future of CF? Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353930 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Zero Day Error: Impact on CF?
This vulnerability relates only to the Java app you install on your desktop, not the JVM you run on a server, So has no effect on CF at all, other than the Java applets used for things like CFGRID et al will no longer work on systems that have removed java, but no-one really uses those any more anyway. On Wed, Jan 16, 2013 at 3:43 PM, Robert Harrison rob...@austin-williams.com wrote: I'd assume you've all been seeing the recent reports on Java. It's been officially announced by HomeLand Security that the zero day error and other problems are too deeply embedded in Java to fix with a patch. Their official recommendation is to remove Java from all machines. I know Oracle put out a patch for this, but reports are the patch is considered insufficient and the problems too close to the core to fix. Information Week has an article on recommending users scale back on use of Java, remove it wherever possible, and do no further Java development. For example, see: http://www.darkreading.com/database-security/167901020/security/news/240146361/the-death-of-java-in-the-enterprise.html?cid=nl_DR_daily_2013-01-16_htmlelq=4d908631d1b04069869fc003faf4e182 Question is: Could this be the death of CF? CF has been tenuous for several years now, and given that the core system on which CF is built (Java) is now getting bad press, what do you think this means for the future of CF? Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353931 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Zero Day Error: Impact on CF?
Robert, in a word, No. Refer to this quote here: An important distinction that needs to be made between in-the-browser Java and the far more common Java runtime environment, says Jo DeMesy, senior analyst for Stach Liu. This vulnerability does not affect Web applications with utilize the Java server-side, which is by far the most common use of the Java programming language. The vulnerability lies within the Java runtime exposed to Web clients which load a malicious Java applet. This type of implementation is much less common [in enterprise applications]. As the article states towards the end, organizations need to begin replacing these applets/plugins (and ActiveX controls, Flash, etc.) with browser-based solutions using HTML5, et.al. I know my company launched into a panic over our servers, both CF and other Java-based ones but as we told them, it's in the browser plug-in, not in our server runtime. However, the concern of Oracle, and to a lesser extent all the JVM implementations out there, is the fact that tech leadership will see Java Exploit Can't be Closed and start moving people onto other platforms when the risk is on the client side, not server, Phil On Wed, Jan 16, 2013 at 10:43 AM, Robert Harrison rob...@austin-williams.com wrote: I'd assume you've all been seeing the recent reports on Java. It's been officially announced by HomeLand Security that the zero day error and other problems are too deeply embedded in Java to fix with a patch. Their official recommendation is to remove Java from all machines. I know Oracle put out a patch for this, but reports are the patch is considered insufficient and the problems too close to the core to fix. Information Week has an article on recommending users scale back on use of Java, remove it wherever possible, and do no further Java development. For example, see: http://www.darkreading.com/database-security/167901020/security/news/240146361/the-death-of-java-in-the-enterprise.html?cid=nl_DR_daily_2013-01-16_htmlelq=4d908631d1b04069869fc003faf4e182 Question is: Could this be the death of CF? CF has been tenuous for several years now, and given that the core system on which CF is built (Java) is now getting bad press, what do you think this means for the future of CF? Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353932 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Zero Day Error: Impact on CF?
From the article An important distinction that needs to be made between in-the-browser Java and the far more common Java runtime environment, says Jo DeMesy, senior analyst for Stach Liu. This vulnerability does not affect Web applications with utilize the Java server-side, which is by far the most common use of the Java programming language. The vulnerability lies within the Java runtime exposed to Web clients which load a malicious Java applet. This type of implementation is much less common [in enterprise applications]. On Wed, Jan 16, 2013 at 10:59 AM, Russ Michaels r...@michaels.me.uk wrote: This vulnerability relates only to the Java app you install on your desktop, not the JVM you run on a server, So has no effect on CF at all, other than the Java applets used for things like CFGRID et al will no longer work on systems that have removed java, but no-one really uses those any more anyway. On Wed, Jan 16, 2013 at 3:43 PM, Robert Harrison rob...@austin-williams.com wrote: I'd assume you've all been seeing the recent reports on Java. It's been officially announced by HomeLand Security that the zero day error and other problems are too deeply embedded in Java to fix with a patch. Their official recommendation is to remove Java from all machines. I know Oracle put out a patch for this, but reports are the patch is considered insufficient and the problems too close to the core to fix. Information Week has an article on recommending users scale back on use of Java, remove it wherever possible, and do no further Java development. For example, see: http://www.darkreading.com/database-security/167901020/security/news/240146361/the-death-of-java-in-the-enterprise.html?cid=nl_DR_daily_2013-01-16_htmlelq=4d908631d1b04069869fc003faf4e182 Question is: Could this be the death of CF? CF has been tenuous for several years now, and given that the core system on which CF is built (Java) is now getting bad press, what do you think this means for the future of CF? Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353933 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Zero Day Error: Impact on CF?
I think that Java is far too entrenched within the enterprise for anyone to consider abandoning it, including Oracle. I do not see this as the death knell of Java, or for CF, but rather an excuse for resources to be dedicated more heavily towards improving Java as a whole. The issue addressed here is in relation to client side Java controls, which present little to no threat to CF based applications, or the CF server itself. (CERT suggested disabling Java *in web browsers*, not killing off JEE servers) Homeland Security uses ColdFusion servers, as do large segments of the US and foreign governments. (I won't even mention the thousands of Tomcat and JBoss JEE server installations within the government and corporate environments to boot.) Hold your cries til true cause says to. Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it On 1/16/2013 10:43 AM, Robert Harrison wrote: I'd assume you've all been seeing the recent reports on Java. It's been officially announced by HomeLand Security that the zero day error and other problems are too deeply embedded in Java to fix with a patch. Their official recommendation is to remove Java from all machines. I know Oracle put out a patch for this, but reports are the patch is considered insufficient and the problems too close to the core to fix. Information Week has an article on recommending users scale back on use of Java, remove it wherever possible, and do no further Java development. For example, see: http://www.darkreading.com/database-security/167901020/security/news/240146361/the-death-of-java-in-the-enterprise.html?cid=nl_DR_daily_2013-01-16_htmlelq=4d908631d1b04069869fc003faf4e182 Question is: Could this be the death of CF? CF has been tenuous for several years now, and given that the core system on which CF is built (Java) is now getting bad press, what do you think this means for the future of CF? Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353934 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Zero Day Error: Impact on CF?
that's what I said Gerald. On Wed, Jan 16, 2013 at 4:00 PM, Gerald Guido gerald.gu...@gmail.comwrote: From the article An important distinction that needs to be made between in-the-browser Java and the far more common Java runtime environment, says Jo DeMesy, senior analyst for Stach Liu. This vulnerability does not affect Web applications with utilize the Java server-side, which is by far the most common use of the Java programming language. The vulnerability lies within the Java runtime exposed to Web clients which load a malicious Java applet. This type of implementation is much less common [in enterprise applications]. On Wed, Jan 16, 2013 at 10:59 AM, Russ Michaels r...@michaels.me.uk wrote: This vulnerability relates only to the Java app you install on your desktop, not the JVM you run on a server, So has no effect on CF at all, other than the Java applets used for things like CFGRID et al will no longer work on systems that have removed java, but no-one really uses those any more anyway. On Wed, Jan 16, 2013 at 3:43 PM, Robert Harrison rob...@austin-williams.com wrote: I'd assume you've all been seeing the recent reports on Java. It's been officially announced by HomeLand Security that the zero day error and other problems are too deeply embedded in Java to fix with a patch. Their official recommendation is to remove Java from all machines. I know Oracle put out a patch for this, but reports are the patch is considered insufficient and the problems too close to the core to fix. Information Week has an article on recommending users scale back on use of Java, remove it wherever possible, and do no further Java development. For example, see: http://www.darkreading.com/database-security/167901020/security/news/240146361/the-death-of-java-in-the-enterprise.html?cid=nl_DR_daily_2013-01-16_htmlelq=4d908631d1b04069869fc003faf4e182 Question is: Could this be the death of CF? CF has been tenuous for several years now, and given that the core system on which CF is built (Java) is now getting bad press, what do you think this means for the future of CF? Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353935 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Zero Day Error: Impact on CF?
Doubtful, reading about the exploit, this has an impact on client side Java, similar to the old client side Java applets that were in earlier versions of Coldfusion. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353936 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm