16 Replies Latest reply on Jul 16, 2014 5:01 AM by pedroclark

    No One Expects The Java Patch!

    Tom Hollingsworth

      It seems the operating system patches take the brunt of the blame when it comes to problematic behavior.  It used to be a common occurrence to have multiple days of Windows patches or a never-ending stream of Linux updates.  Thankfully, most of the operating system folks have learned that having a regular schedule works well.  Patch Tuesday means something to most folks.  I don't think the OSes are totally to blame though.

       

      Even as I sat down to write this post, my desktop started chirping that it was time to install updates to many of my applications.  You might know some of the names: Reader, Air, and Flash for starters.  Even the above mentioned Java is a frequent offender of relentless updating.  With a version number like "1.7.0_40-b43", you begin to realize that there are tons of builds.  Those are just the ones we see.

       

      Every time an application vendor finds an issue with software, they issue a small patch.  Point releases, engineering specials, or incrementing builds are not uncommon.  I can remember installing an application and then calling support only to be told that they don't support version 5.1 ES48 any longer.  The very fact that their support department is issuing patches for problems outside the normal patching process should say something.

       

      If you software program needs weekly updates to operate correctly, you've got a bigger problem to address.  I understand that some programs, like Java, have such deep system level access that patching exploits quickly is crucial.  But, issuing a patch every two or three days until you've plugged all the holes is a bad idea.  It's an even worse idea when you destroy your application compatibility.

       

      I can still remember DLL Hell in older versions of Windows.  It's been replaced by Java Hell, where incompatible versions of JRE break other applications due to minor (or major) fixes to the way things are handled.  Every patch or suggested upgrade gives people nightmares because of all the possible disaster that awaits when the CRM application breaks or the Java-based network appliance configurators stop responding.

       

      What patch management needs to be successful is a way for administrators to manage third party patches along with the OS patches.  If the majority of work being done on the system is via applications (and the services that support them), then patch management should have visibility into those processes.  If not, your expectation won't be to look at Java when your critical applications come crashing down.

       

      What do you think?  Do you spend most of your time fighting 3rd party programs?  Have you tried using a 3rd party patch manager?  Do you want to throw Flash and Java out the windows due to the constant updating?  Tell me all about it!

        • Re: No One Expects The Java Patch!
          wbrown

          This makes me glad I moved away from the server/application career path and into the networking path.  That, and getting further away from users.

          Firmware updates on switches/routers/firewalls do not happen automatically, don't happen often, and are only done if a clearly identified need arises.

          • Re: No One Expects The Java Patch!
            byrona

            Speaking of patches that we can't trust, it seems I can't trust the patches for my patching system.  I just applied a HotFix last week that I was told would resolve a problem I was having only to find this week that the HotFix I applied made it so that my patching system can no longer deploy patches.  Vendor support confirmed this as a known problem affecting most customers and that they are working on a fix.  Talk about bad times, because of patch applied to my patching system, I now can't use automated patch deployment for all of my other systems.

            • Re: No One Expects The Java Patch!
              syldra

              I quit fighting months ago... I know it makes us at risk in every possible way, but Java patching is never complete and when I finish my round, another patch comes out. I've grown from a preventive mode to a reactive one. If a computer gets infected, I react fast and save the day. When my boss told me he thought we had more infection than before I was hired, I just answered him "No... difference is now you know about them."

               

              It's even worse when you need some piece of software from a supplier that relies on Java but doesn't get updated. I often receive calls from a user saying "software XYZ doesn't work" only to find out their Java's been updated and software XYZ doesn't support it yet. Roll back Java, "see you next month !".

              • Re: No One Expects The Java Patch!
                Jonathan Angliss

                Java is a particularly nasty application to maintain, especially in the systems/network administrators point of view.  There are so many tools and applications that are dependent on specific Java versions, and many install their own versions of JRE just to run due to compatibility issues.  I believe my workstation has 5 different versions installed, and some of them really old. Last round of updates broke my SAN switch utilities, so I'll be hunting down an older version to roll back to (side note, has anybody noticed Oracle requires you to sign up for an account to download older versions now?).

                 

                As for general application patching, for servers, we don't run much in the way of special software, lots of IIS boxes running mostly .NET based code, so using WSUS or similar patching utilities makes our life easier.  Desktops on the other hand are handled by a different team, they have a couple of folks dedicated to patching and testing, and maintain a pretty close to "patch Tuesday" patching schedule.  I'd personally remove all the evils (Flash/Java/Acrobat Reader) if I could get away with it, unfortunately too much of what we do involves using those 'tools'.

                 

                Happy patching!

                 

                --

                Fetch... The COMFY CHAIR!

                • Re: No One Expects The Java Patch!
                  Aaron Denning

                  I used to be this bad guy that did patch management and i learned really quickly that Military people hate when you tell them its a patch. We always hated the day that a new Java patch came out because we could expect a it to break at least half the machines in our scope. Our way of getting this down a little bit more was to use a huge scope to "test" and then make it public which if it killed computers find out if why java broke and if it was just a program that wasn't compatible we would exclude them from the group useing SCCM. Thats how we did it in the military but now that i work network management don't worry about it anymore but the guys here seem to have a good handle on it haven't had to re-image my computer yet and been here from almost a year now.

                  • Re: No One Expects The Java Patch!
                    Alen Geopfarth

                    Java Patches are the bane of my existence. We run a highly customized Oracle environment that requires a specific instance of JRE. I can't tell you how many times we get users who are upset that the Oracle applications won't run because they decided to attach their laptops to the internet and update the JRE to a newer version our Oracle system does not support. This is not a problem I can even fix with a Patch Management server. This is a limitation of the Oracle system the corporation uses. The updates to Oracle that are required to update JRE to the latest version would probably break more of the Database than any realized improvement in the system.

                     

                    I'm with wbrown on this one.....give me network command line support any day. IOS/NXOS FTW!

                    • Re: No One Expects The Java Patch!
                      cahunt

                      We had some old apps that would require or only work with an older version of JRE. We kept a special link for when users would call saying, this app does not work.

                      Check the system, confirm the version, uninstall and install the old version.. and they were good until a desktop tech decided to re enable auto java updates.

                      I can identify with syldra on the whole fun process that Java can create. I ignore these alerts until I get bored or find that I am on a webpage or some silly app won't run because I have not udpated my flash, or Java, et. al.

                      • Re: No One Expects The Java Patch!
                        michael stump

                        I try to keep my servers slim in terms of what applications are installed on each. Smaller attack surface, fewer vulnerabilities to patch. I've tried a number of patch management solutions (granted this was years ago when Citadel was pushing Hercules) but never found one that was worth the trouble to configure and deploy. WSUS works really well, in my opinion.

                         

                        Re: flash and java. When you spend non-trivial amounts of time in the vSphere Web Client and UCS Manager, you're stuck with these dinosaurs. I've had enough of Java trying to get me to install the Ask.com toolbar (who uses toolbars anymore?). And Flash, although it claims to keep itself up-to-date automatically, rarely does. If VMware and Cisco could port their admin interfaces to run natively in the browser, I think we'd all be happier. Or at least, less grumpy.

                        • Re: No One Expects The Java Patch!
                          ecklerwr1

                          Another area with Linux that has bitten us is when programmers interface directly to the kernel.  If the update patches the kernel it breaks all kinds of stuff.

                           

                          Jonathan Angliss:

                          You can see Oracle is slowly working towards monetizing java so that's why Oracle is requiring an account to download versions now.

                          • Re: No One Expects The Java Patch!
                            mbwalker

                            I love some of the capability Java brings to the application world but....

                             

                            So many apps depend on a specific version of Java. I have several support applications that are Java based. Some don't care what version you are running, some won't even display a complete screen of information without the correct version, others require you to disable and enable various versions. AAAAARRRRRRGGGGGGHHHHH!!!!!

                             

                            So now when I am asked to perform a task with one of the apps that won't work except under a specific Java version, it is easier for me to say " I can't do that because the app won't run on my system".

                             

                            I chose the networking route years ago because OS and applications can be ornery and complicated. Now, in a lot of instances, I can't even manage my networking devices because Java won't work on my system.

                            I thought Java was supposed to make things easier/better and maybe it does. I am sure things are easier for the Java programmers but they sure do make my job hardre at times.

                             

                            Brad W.

                            • Re: No One Expects The Java Patch!
                              Kurt H

                              I really hate the constant patching. Even though Java is a good product we are finding more and more that places are setting Java to a higher security level so it is hard to run anything that uses Java anymore. We all have to thank those Security people for making everyones lives so hard at times.

                              • Re: No One Expects The Java Patch!
                                Kevin Rak

                                I really love NiniteOne for this. It can easily deploy updates to Flash, Air, Silverlight, .NET, Java, etc to the entire AD infrastructure with a single click. It can be scheduled via Windows Task Scheduler too but I haven't taken the time to do that so far I've been doing this manually. You can't beat the price for it either...

                                  • Re: No One Expects The Java Patch!
                                    uidzer0

                                    Yes!  NINITE, wrapped with a decent deployment methodology will solve most headaches.  Spend the money and support the group.  You can take versions offline.  They strip all the bs out, toolbars, cruddy advertisements, detect x64 and x86, etc.  Just great all around product!

                                  • Re: No One Expects The Java Patch!
                                    tspwayne

                                    I must admit this is the bain of my life personally and in work mode. My personal devices are always asking for this update and that update (Adobe, Flash, Java). The worst ones are the ones that do not take off the old version when they do the update, most luckily now do. Smartphones and Tablets are the new one I get app updates constantly and they seem to be bigger each time and do not really do much more or seem any different (a big bug bear of mine). Luckily I work in a company that use Citrix and cloud based products therefore it is not in my remit to actually do any of the updates for the systems themselves (it is some other poor buggers job), the only updates I personally have to do are firmware updates and a few windows 8 machines which are stand alone and not on the network.

                                    • Re: No One Expects The Java Patch!
                                      pedroclark

                                      Java is one of the most interesting language to make a software.