All I need Java for is ....

Published: 2013-02-26
Last Updated: 2013-02-27 03:08:58 UTC
by Rob VandenBrink (Version: 2)
39 comment(s)

Java just can't catch a break!  A number of our readers have pointed out that Security Explorations claims they have 2 new Java zero days (no verification from Oracle on this yet).

This of course has fueled the fire of "it's time to just say no and uninstall Java" in many quarters.  And for general purpose internet browsing, maybe you can.  If you do need Java, and if you do, changing the security settings to "ask every time" is a good way to go.  Of course, if you run a business app that needs Java, you need to make it transparent to your user community somehow - this can be particular problem if your app needs a specific (aka old / vulnerable) Java version - we've talked about this in a few different stories over the last few months.

But this got me to thinking, as security folks, what tools or processes do we use daily that need Java?

My list is pretty short:
Burp Suite for Web Assessments -
ZAP - Zed Attack Proxy, also for Web Assessments -
Nessus, for straight up vulnerability assessments and security scans (Java is only needed for PDF exports in Nessus I think) -
Network appliance administration is often Java based as well - for instance, the GUI for Cisco ASA firewalls and many wirelss controllers requires Java to run.

What's in your "I only need Java for this or that infosec tool" list?  Please, let us know through our comment form.

============ Update ============

Our friends at PaulDotCom tell us (in the comments below) that Nessus no longer needs Java for PDF exports, as of November of 2012

Thanks for the heads-up on that, my bad for not noticing the change when it came !

Rob VandenBrink

Keywords: Java
39 comment(s)


Not security-related, but Dell IT Assistant wants it.
ManageEngine OpManager
Vigiliti nLive
GotoMyPC (can run w/o Java, but requires extra steps)
Cisco SSL vpn client
Juniper SSL vpn client
Zyxel SSL vpn client

I use QuickJava in Firefox to enable/disable on the fly. Every chance I get, I beg vendors to develop in another language . . .
To generate Nessus reports in PDF format you must have Java installed on the Nessus server (not required on the client system). And as of 11/2012 the Nessus user interface is HTML5 (So neither Java or Flash is required on the client.

Cisco SSL VPN client does not require Java. It can be installed via ActiveX or downloaded and manually installed (vs. the automated methods the other two provide).

I use Java for Oracle apps (we've a dozen), Cisco ASDM Firewall configuration, HP iLO.

I was able to uninstall Java from my personal computer when my small credit union updated their banking app's menu system to not need Java.

For each environment, I have multiple browsers and use "-no-remote -ProfileManager" with Firefox to get prompted for which one to use even if there is already a Firefox session running. My personal computer only had Java enabled in my banking browser profile. My work computer only has Java enabled in my Internal-only profile.

This isn't something you call really get non-technical people to buy off on or understand. The best thing we do is block Internet Explorer access to the Internet (user-agent string blocking in Proxy) and only allow Java with it. Firefox is all that is allowed to the Internet and using GPOs we block Java with Firefox. So, Internet Explorer for intranet-only, Firefox for Internet (no Java, and most of our staff have to use an Oracle app or two or dozen).
STIG Viewer - Version 1.1.2 iase dot disa dot mil
Remote control from PC of ELK M1 perimeter security system:

Not used every day, but it sure is handy when it's needed.
BlueCoat Web Proxy management, Cisco asdm.
The webcasts provided by SANS uses Elluminate software which requires Java to be installed in order to view the webcast. *facepalm*

Diary Archives