Transcription
Java Version 7 Update 45 and its Impact on IBMSmartCloud, Sametime and Sametime ClassicMeetings!!!Oracle’s latest release of Java (Java Version 7 Update 45) is proving to be very disruptive tousers of Java Applets in general.!!The addition of new security features, security-related Jar manifest attributes and the increaseof the “Java Security Baseline” (to Java 7u45) combine to create a difficult user experience forusers attempting to share their screen in Sametime-based meetings (SmartCloud, Sametime &Sametime Classic).!!This document will describe these new security features, how they impact present versions ofthe product, available hot-fixes to address these issues and IBM’s general recommendations forcustomers regarding Java.!!!New Java 7u45 Security Features:!!!1. Enforcement of the “Permissions” Jar Manifest Attribute!!The “Permissions” Jar Manifest Attribute is contained in the manifest file of signed Applet Jars.This attribute is used to verify that the runtime “out of sandbox” requirements of an applet do notexceed those requested at the time the Jar was signed.!!This manifest attribute existed prior to Java 7u45 but was treated leniently. Java 7u45 beginsenforcing this attribute with a warning “sticker” placed in the standard security prompt presentedto users to run an applet:!Addition of the “Permissions” attribute to the Jar manifest alleviates the warning and preventsApplets from being blocked in future Java releases. !!
2. Introduction of the “Caller-Allowable-Codebase” Jar ManifestAttribute!!The “Caller-Allowable-Codebase” Jar manifest attribute is a new addition in Java 7u45.Essentially it is a list of domains from which JavaScript is permitted to call into a signed Jar. !!If this “Caller-Allowable-Codebase” attribute is not present the user is prompted with a “SecurityWarning” dialog which gives them the opportunity to “allow”/“do not allow” execution of theApplet. Users will be presented with this warning dialog each time the applet is run:!!!!!!!!!!!!!!3.!Introduction of the “Application-Name” Jar Manifest Attribute!The “Application-Name” Jar Manifest Attribute provides a way to provide a user-presentablename for the signed Jar. This name is used in any security or other dialogs concerning theexecution of the Applet.!!Note in the screenshot above the “Application” is listed as “UNKNOWN”. This attribute allowsIBM to specify (a non-localized) name for our applications:!!!!!!!!!!!!!!!!!
4. The “Java Security Baseline” has been increased to Java Version 7Update 45!!Oracle has increased the “Java Security Baseline” from Java Version 7 Update 25 to JavaVersion 7 Update 45.!!This is important for several reasons:!!1. Browsers are aware of this setting and can “blacklist” versions of the plugin deemed unsafe.Apple’s Safari and FireFox are particularly happy to do so.!2. The Java Plugin itself will alert users when it detects it is below the Security Baseline andoffer users the opportunity to upgrade.!3. Some versions of the Java Plugin police themselves when they are below the knownSecurity Baseline. This means features can be limited or blocked altogether.!!!!How The New Security Features Impact Sametime Meetings:!!!The seemingly obvious solution here is to simply update all signed Applet Jars to include thesenew security-related Jar manifest attributes: “Caller-Allowable-Codebase” and “ApplicationName”. Historically this is the approach taken by IBM: As Oracle introduces new securityfeatures IBM responds accordingly by adding these features to our signed Applets—the resultbeing signed Applets that run without issue across all supported versions of Java.!!Unfortunately it is not that simple with this release:!!1. The “Caller-Allowable-Codebase” and “Trusted-Library” attributescannot co-exist!!Unfortunately Oracle made the seemingly poor decision to not let the new “Caller-AllowableCodebase” and the previously required “Trusted-Library” attribute (which it is essentiallyreplacing) to co-exist peacefully.!!Older (pre-Java 7u45) JVMs are not aware of the new “Caller-Allowable-Codebase” attributeand will run without issue if it exists. In Java 7u45, however, the presence of the “TrustedLibrary” attribute causes the “Caller-Allowable-Codebase” attribute to be ignored. !!This means that Java Applet jars cannot be signed such that they run without security-relateduser interruption in both Java 7u45 and older versions of Java. It is an either/or proposition.!!Oracle claims this will be “fixed in a future release so that both attributes can co-exist” (see link4 below).!!!
2. JVM’s below the Security Baseline disable “LiveConnect” on thedefault Security Level setting!!Versions of Java that are aware of the Java Security Baseline feature are self-policing and willdisable specific features when they determine they are below the current Security Baseline.!!Fortunately there are only two versions of Java 7 that this currently applies to: Java 7u25 andJava 7u40. !!LiveConnect (JavaScript to Java communication) is now disabled by these versions of Javawhen running with the default (and recommended) security level setting. LiveConnect is thecommunication mechanism between Sametime Web Applications and the Sametime JavaApplets—it must be present and enabled in order for Sametime Meetings to work.!!Furthermore this is a silent failure: users are not notified specifically when LiveConnect isblocked. Only when Java’s debugging is enabled will the user see the following messageprinted to the Java console:!!!!security: LiveConnect (JavaScript) blocked due to security settings.!This leads to failures across IBM Sametime Meetings products. The Sametime ClassicMeeting Room Client simply does not load. Similarly the Hosting Applet in Sametime NewMeetings simply does not appear, again without indication.!!In these cases setting Java’s Security Level to the lowest setting (now “Medium”) will enableLiveConnect and allow IBM Sametime Meeting applets to run properly. This is not somethingthat can be detected directly or otherwise address in code. !!!!Oracle and the Browsers are Serious About Users StayingCurrent with Java - IBM Customers should be too!!!Firefox, Chrome, Apple/Safari and even IE have begun to take a hard stance against pluginsconsidered “insecure”. This leads to warnings or out-right blocking of older versions of Java insome cases:!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!Oracle itself has introduced the “Security Baseline” feature in order to alert users when theirversion of Java is out-of-date or considered insecure:!!!!!!!!!!!!!Oracle and the Browsers are forcing users to jump through (often intentionally scary) hoops inorder to attempt to run Java Applets in older/insecure versions of Java.!!!!Sametime Meetings Hot-Fixes and User Experience!!!IBM is embracing the new manifest attributes altogether for Jar signing across Sametime,SmartCloud and Sametime Classic Meetings. Specifically this means:!!1.The “Trusted-Library” attribute has been removed. Previously introduced toavoid security warnings for some older JVMs. It is not compatible with the latestJava 7u45 security features.!2. The “Caller-Allowable-Codebase” attribute added. !
!!3. The “Permissions” attribute added.!4. The “Application-Name” attribute added.!The following table describes the differing end user experiences for each version of Java basedon this approach.!!!Java Versions Security Levels Security Level “High”Security Level “Medium”7 - 7u10N/A!Applets will run properly without additional prompts orwarnings.7u11 - 7u17Very High!High (default)!Medium!Low!CustomJava warns of insecure JVM and prompts user.7u21Very High!High (default)!MediumJava warns of insecure JVM and prompts user.!!!User prompted with “Block potentially unsafe componentsfrom being run? Block/Don’t Block?”!If “Don’t Block” is chosen the applets run normally.7u25 & 7u40Very High!High (default)!MediumJava warns of insecure JVMand prompts user.!!!Java warns of insecure JVMand prompts user.!!LiveConnect blocked with no User prompted with “Blockuser indication.!potentially unsafecomponents from being run?SmartCloud & SametimeBlock/Don’t Block?”!New - Share Selection Dialogdoes not appear. !If “Don’t Block” is chosen theapplets run normally.Sametime Classic “Checking for Java ” stepdoes not complete!7u45Very High!High (default)!Medium!Applets will run properly without additional prompts orwarnings.!!!IBM Recommendation for Customers!!!IBM strongly encourages our customers to migrate to Java 7 and take a more agile approach toupgrading Java. Staying at or above the Java Security Baseline is paramount in making sure
users are protected from the major security issues that have been found in previous versions ofJava. !!To that end, IBM is moving in step with the latest security enhancements in Java.!!!History of Java 7 Versions and Security Features:!!Oracle has not been consistent with their version increments for Java releases (at least notpublicly). Here is a complete list of Java versions with important security related changesindicated:!! Java 7!Java 7u1!Java 7u2!Java 7u3!Java 7u4!Java 7u5!Java 7u6!Java 7u7!Java 7u9!Java 7u10!Java 7u11 - Java begins prompting users to update “insecure” Java versions!Java 7u13!Java 7u15!Java 7u17!Java 7u21 - “Trusted-Library” attribute introduced!Java 7u25 - “LiveConnect” disabled when below the “Security Baseline”!Java 7u40!Java 7u45 - “Caller-Allowable-Codebase” attribute introduced, now the securitybaseline!!!Java 6!!Oracle is no longer providing updates publicly for Java 6—not even for security reasons.!!Java 6u45 (the most recent Java 6 release) is now below the Java Security Baseline.!!Oracle and IBM strongly encourage our customers to move to Java 7.!!Please see “Useful Links” section below for more information from Oracle on Java 6.!!!Useful Links:!!
1. Java 7u25 Release Notes. See section on “LiveConnect Blocked under Some ava/javase/7u25-relnotes-1955741.html!!2. Oracle Information on the “Security Baseline” and its impact on pre 7u45 /entry/updated security baseline 7u45 impacts!!3. Oracle Information on the Java 7u45 Jar Manifest Attributes for hnotes/guides/jweb/manifest.html!!4. Oracle discussion on the “Caller-Allowable-Codebase” and “Trusted-Library” attribute coexistence p/entry/7u45 caller allowable codebase and!!5. Oracle on Java 6!http://www.java.com/en/download/faq/java 6.xml!!6. Oracle Java SE Support ase/eol-135779.html#Java6-end-public-updates
users attempting to share their screen in Sametime-based meetings (SmartCloud, Sametime & Sametime Classic).!! This document will describe these new security features, how they impact present versions of the product, available hot-fixes to address these issues and IBM's general recommendations for customers regarding Java.!!!
