United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-7109885 : security baseline for 7u2 or above is not set correctly

Details
Type:
Bug
Submit Date:
2011-11-09
Status:
Closed
Updated Date:
2013-01-08
Project Name:
JDK
Resolved Date:
2012-01-13
Component:
deploy
OS:
windows
Sub-Component:
deployment_toolkit
CPU:
x86
Priority:
P2
Resolution:
Fixed
Affected Versions:
7
Fixed Versions:
7u4 (b05)

Related Reports
Backport:
Relates:

Sub Tasks

Description
security baseline for 7u2 or above is not set correctly

currently - the security baseline for 7u2 is set at 7u2.

it should be 7u1 instead.

                                    

Comments
EVALUATION

fix for 7u2
                                     
2011-11-09
EVALUATION

problem is in SecurityBaseline.java

it's missing getBaselineVersion170() now.  (and simply return CURRENT_VERSION - which is the bug)

  private static String getBaselineVersion(String requestedVersion) {
        if (requestedVersion.startsWith("1.3.1")) {
            return getBaselineVersion131();
        } else if (requestedVersion.startsWith("1.4.2")) {
            return getBaselineVersion142();
        } else if (requestedVersion.startsWith("1.5")) {
            return getBaselineVersion150();
        } else if (requestedVersion.startsWith("1.6")) {
            return getBaselineVersion160();
        } else {
            return CURRENT_VERSION;
        }
    }
                                     
2011-11-09
EVALUATION

problem:  in the jdk7 code, the code for getting security baseline for 7 family is missing.   so it defaults to use the current running version as baseline for 7 family.

so when you run an applet with 7u2, and if the applet requests 7u1, we will shown ssv dialog, even if 7u1 should be a valid security baseline.  this is because 7u2 code thinks the security baseline is 7u2, and 7u1 is insecure.

fix:  implement security baseline for 7 family.

testcase:  install 7u2, install 7u1, run this jnlp applet that requests 7u1 and make sure no ssv dialog is shown.

http://javaweb.us.oracle.com/~ngthomas/applet/HelloWorldDrag.html
                                     
2011-11-09
SUGGESTED FIX

http://sa.us.oracle.com/projects/deployment_data/7u2/7109885.0
                                     
2011-11-09
EVALUATION

problem is specific only to apps requesting JRE 7u1 specifically.  and for machines that has 7u1 + FX 2.0.2, there will not be ssv dialog shown either when running apps.

not a showstopper for jre 7u2.
                                     
2011-11-10
EVALUATION

see MR
                                     
2011-12-20



Hardware and Software, Engineered to Work Together