Carnegie Mellon University
April 24, 2013

Security Alert: Critical Vulnerabilities in Java 6 and 7

WHOM DOES THIS AFFECT?
Windows, Mac and Linux users running Java versions 6 and 7

SUMMARY:
Multiple new security vulnerabilities have been discovered in Java and are being actively exploited to compromise computers.  Oracle has released new versions of Java 6 and 7 to correct these vulnerabilities. All Java users should update to new versions as soon as possible. The Information Security Office will continue to monitor for and block known malicious websites and will also notify users of vulnerable computers on the campus network.

WHAT YOU NEED TO DO:
If you are running Java version 6, update to Java 6 version 45 as soon as possible. Java 6 version 45 can be downloaded at the following location:

http://www.java.com/en/download/manual_v6.jsp

If you are running Java version 7, update to Java 7 version 21 as soon as possible. Java 7 version 21 can be downloaded at the following location:

http://www.java.com/en/download/

If your Java installation is configured to automatically update, you may be prompted to install the most recent version without taking any additional action. It is recommended that you visit the Patch Check tool to validate that you have the most recent version installed; see:

https://www.cmu.edu/iso/patch-check/

Note: Computing Services is partnering with the Oracle Financials and HR Data Warehouse teams to update its supported version of Java 6. Users of these applications should continue to use their current Java version  until notified that a supported release is made available.Customers of the Desktop Support Program (DSP) will also receive separate instructions regarding an update to their managed desktops.

ADDITIONAL INFORMATION:
Additional information about this vulnerability is availablehttp://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

CONTACT:
Please direct any questions or comments to the Computing Services Help Center (412-268-HELP or it-help@cmu.edu) or to your departmental administrator or DSP consultant.