Java consistently gets a bad rap when it comes to security—but considering half of enterprise applications in the last 15 years were written with the language, its pervasiveness (and commonly-known attack vectors) may be more to blame than Java’s inherent security weaknesses alone. That said, new approaches are being developed (e.g., Rask, Waratek) to improve Java web application security at the Java Virtual Machine (JVM) level, but for most organizations—instituting traditional security defenses for Java applications can help protect against the majority of Java-related exploits.
Because of the ubiquity of Java, comprehensive vulnerability management of Java-related tooling and technologies is crucial for maintaining strong security—whether you’re running a complete CI/CD pipeline or a couple internal enterprise web applications. The following are the top 10 Java technology vulnerabilities, to include tooling and popular applications for support Java-based application development.
This unit testing framework is a standard item in most Java developers’ toolkits, enabling quick and automated codebase testing. However, JUnit files that come with other applications can harbor vulnerabilities. For example, versions of the Google Web Toolkit (GWT) before 2.5.1 RC contain multiple cross-site scripting (XSS) vulnerabilities.
As the most commonly used continuous integration (CI) server on the market, Jenkins has a large following amongst Java developers accordingly. Unfortunately, popularity as continuous integration tool usually means more vulnerabilities and exploits—and in Jenkins’ case, multiple XSS, cross-site request forgery (CSRF), and denial-of-service (Dos) vulnerabilities exist.
Popular ORM framework Hibernate is commonly used amongst Java developers for mapping relational database objects like tables to Java classes. Versions 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 of the open source tool contain a vulnerability that can allow attackers to bypass Java Security Manager (JSM).
Apache Maven is a broadly-used build manager for Java projects, allowing for the central management of a project's build, reporting and documentation. A vulnerability in Apache Maven 3.0.4 allows for remote hackers to spoof servers in a man-in-the-middle attack.
This popular Java web application server has been a perennial favorite amongst developers for building servlets and applications with JavaServer Pages. Well over a decade old, Tomcat has amassed a relatively impressive range of security gaps from XSS to CSRF vulnerabilities—many of which have been exploited in the wild.
6. Java 7
Depsite Java 8’s entrance last year, Java 7 is still in predominant use—though it’s expected that by 2016 version 8 will lead the pack. It goes without saying that any version of Java below 7 should be updated immediately—even version 7 needs significant remediation for its fleet of vulnerabilities.
7. Spring Framework
Spring is an application framework with its own model-view-controller framework for Java, allowing for the separation of input, business, and UI logic. An open source project, Spring is not without its fair share of documented vulnerabilities.
8. JavaServer Faces
JavaServer Faces (JSF) is a presentation framework for Java that facilitates the development of re-usable user interface elements. A vulnerability in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 can give remote attackers the ability to read arbitrary files.
9. Eclipse IDE
Eclipse is a popular desktop tool for building web applications in Java, and has served as the preferred integrated development environment (IDE) of Java developers for years. Unfortunately, certain versions of its help files—of all things—are vulnerable to XSS-related exploits.
Vaadin is a popular Java framework for building contemporary Java web applications—think modern, single-page web apps powered by Java. An XSS vulnerability in the framework can allow remote attackers to inject arbitrary scripts into the pages.
To fix the above vulnerabilities, you will need to identify which of these technologies are being used in your environment, and visit the respective vendor/project's website for update/patch information. UpGuard can find all of these items automatically with a few mouse clicks. Furthermore, our editable Java vulnerability policy can grow to accommodate any custom checks for additional Java tooling. Give it a test drive today—it's free.
Java vulnerabilities infographic