Potential security issue with Pledge's reliance on Java 6

[aronr]

At least under Mac OS X - I'm not sure whether this is the case on other OSes - the Pledge one time password app requires the installation of Java 6.

This might potentially be problematic from a security standpoint. That's because the campus's Minimum Security Standards for Networked Devices (MSSND) (https://security.berkeley.edu/mssnd#software-patch-updates) state that:

Campus networked devices must only run software for which security patches are made available in a timely fashion

And Oracle will not be making such patches available for Java 6 (https://www.java.com/en/download/faq/java_6.xml):

Oracle no longer posts updates of Java SE 6 to its public download sites. All Java 6 releases up to and including 6u45 have been moved to the Java Archive on the Oracle Technology Network, where they will remain available but not receive further updates. Oracle recommends that users migrate to Java 7 in order to continue receiving public updates and security enhancements.

[aronr]

Oracle's support roadmap for Java SE can be found here:
http://www.oracle.com/technetwork/java/eol-135779.html

Free, public support for Java 7 ends after April 2015. If that schedule is adhered to, public security updates (i.e. those available without a paid support plan) will only be available for Java 8 after that date, through March 2017. Neither Java 6 nor Java 7 will receive any public security updates, going forward.

So if McAfee currently - or anytime within the next two years - provides a Pledge update based on a newer Java release, as of May 2015 that update would need to be based on Java 8, to conform to the campus's MSSND requirements.

[davclark]

Thanks for making a note of this here, @aronr. It's good to at least know y'all are thinking about this...

[aronr]

Thanks for noting this issue, @davclark.

Two quick thoughts:

1. This issue is especially pertinent as long as Pledge is the one-time password tool for the Savio cluster. Its vendor, McAfee, has set an end of life date for this software and its infrastructure of July 13, 2016. LBNL and the UC Berkeley campus are actively working to replace it, with another OTP (or other 2-factor) solution. Presumably, that replacement won't require installation of an out-of-support Java release on any platform.
2. I've seen one suggestion of a way to tweak Mac OS X preferences so as to make software requiring Java 6 believe that release is present, even when only Java 8 is installed. I haven't experimented with this, and it seems a bit of a hack, but a perhaps a simple and reversible one. (Am cc'ing @rjaffe on this, as well, since he and I had a recent discussion about this.) From what we've seen in Oracle's release/change notes and from our experience with the CollectionSpace museum collections management software project (heavily Java-based), there are relatively few - generally somewhat edge case - changes in Java 7 and 8 that might affect Java 6 code, and many older apps run successfully without modification.

[jackspaceBerkeley]

Would this be a good time to segue into using Yubikey OTP?

[aronr]

If you'd like to suggest that the folks investigating a Pledge replacement look at Yubikey, you might try writing the general inquiry address here: https://security.berkeley.edu/about/contact-us

Unfortunately, I don't recall hearing who's on that team; otherwise, this would be a more direct referral.