I'm informed that IBM has tested its own Java implementations (which are developed and tested by IBM) against the new zero day "EveryDay" exploit. Testing and related investigations have demonstrated that IBM Java is NOT vulnerable to this serious security threat that affects Oracle Java releases prior to and including 1.7.0_10 (1.7u10).
This threat also affects other Java implementations. Implementations from Red Hat, OpenJDK, IcedTea, and Oracle's predecessor Sun are also known to be vulnerable. Often Oracle and other Java implementations can be embedded in or shipped with other software and hardware products. You should prioritize remediation of any Java-enabled or Java-based products (such as developer workbenches and browsers) which have the ability to retrieve Web content from the public Internet and which use Oracle or other non-IBM Java implementations. Again, there is NO requirement to take action if you are already up to date with IBM Java (and with products which use IBM Java). IBM Java is not vulnerable to "EveryDay" or to other attacks through that vector. That includes situations in which you are using IBM Java as your Java plug-in for your Web browser. IBM has provided the results of this testing and investigation to CERT and through other regular channels. More information on this security threat is available here: http://www.kb.cert.org/vuls/id/625617 I write for myself here only, so please rely on the proper channels for official information. -------------------------------------------------------------------------------------------------------- Timothy Sipples Consulting Enterprise IT Architect (Based in Singapore) E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
