Yes, Java 7 is available for z/OS.
A description about the security issue can be found here:
http://www.kb.cert.org/vuls/id/625617
To me (but thats only my opinion), the following reads like only Java applets
are affected:
The Java JRE plug-in provides its own Security Manager. Typically, a web applet
runs with a security manager provided by the browser or Java Web Start plugin.
Oracle's document states, "If there is a security manager already installed,
this method first calls the security manager's checkPermission method with a
RuntimePermission("setSecurityManager") permission to ensure it's safe to
replace the existing security manager. This may result in throwing a
SecurityException".
By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean
components, unprivileged Java code can access restricted classes. By using that
vulnerability in conjunction with a second vulnerability involving the
Reflection API and the invokeWithArguments method of the MethodHandle class, an
untrusted Java applet can escalate its privileges by calling the the
setSecurityManager() function to allow full privileges, without requiring code
signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. The
invokeWithArguments method was introduced with Java 7, so therefore Java 6 is
not affected.
This vulnerability is being attacked in the wild, and is reported to be
incorporated into exploit kits. Exploit code for this vulnerability is also
publicly available. We have confirmed that Windows, OS X, and Linux platforms
are affected. Other platforms that use Oracle Java 7 may also be affected.
Hope that helps,
Denis.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
