HP's Unix rebuffs Java security exploit
June 1, 2009
A new critical patch for the HP-UX operating environment — a key element in many HP 3000 transition plans — has closed the door on the latest security hack.
Java can be forced to execute rogue code on HP's Unix, as well as many other flavors of the OS from other vendors. Versions B.11.11, B.11.23, B.11.31 of HP-UX are affected, running the Java Runtime Engine 6.0.03 or earlier, or RTE 22.214.171.124 or earlier.
The problem's details, scant as they are, are on the HP IT Response Center Web site page dedicated to the security breach. (You'll need a password and user handle to log in. These are free.) The patch is HPSBUX02429; the service number is SSRT090058.
HP says "you could be at risk of a serious recoverable error if action is not taken." The HP 3000 version of Java doesn't use these more recent runtime engines. But Java on the 3000 isn't a fully functional tool, either.
Not all vendors have written a patch to close Java's security holes under Unix. One back door remains open for Apple systems, even after six months of notice about the breach. Apple's OS X is still missing a patch as of this week, much to the dismay of system admins. One developer has actually published a how-to, proof-of-concept exploiting this breach, to nudge along the Apple patch.
The secured versions of Java for HP-UX are available at HP's Java Web site.