Java Version 7 Update 51 and the vCO Client

You might have noticed that Oracle recently released Java Version 7 Update 51. Like most recent Java updates, this one is classified Critical and includes patches to close some 36 security vulnerabilities as well as some changes in functionality. As nearly all of these vulnerabilities are remotely exploitable, it’s highly recommended that you apply this update. But beware……

If you have already applied this update you might have discovered that it breaks the vCenter Orchestrator Client. On attempting to run the vCO Client you are presented with this not very helpful message:

vcoerror

 

While you could roll back to an earlier version of Java to get around this, it’s not an ideal solution as Java vulnerabilities are commonly targeted by malware authors and other miscreants. Running on the latest version of Java is always a key recommendation in terms of security so I thought I would dig a bit deeper into this problem to find a better solution than running an insecure version of Java.

Clicking on the Details button of the above dialog provided the following information:

vcoerrordetail

 

From that we know that Java is unhappy about a Permissions manifest attribute not appearing where it would like to see it. So what changed between Java versions that caused it to refuse to run the app following the update? The release notes for Java Version 7 Update 51 at http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html mention the following change:

  • Require Permissions Attribute for High Security Setting

This sounds promising. Java has defaulted to a High security setting for all applets and Web Start applications since Update 11 so, by default, this is the security context that will be used for the vCO Client. With Update 51 they have also mandated that all applets running in the High security context also have a Permissions attribute. As the vCO client was released prior to Update 51 of Java it doesn’t have this attribute so Java refuses to let it run.

So now that we’ve found the problem how do we fix it? As I said earlier you could roll back to the earlier version of Java but that would leave you with a whole lot of Java vulnerabilities that you don’t want or need. Another option would be to set the default Java security to Medium instead of High. This is also not ideal as it would result in applets from all web sites running in the Medium security context. As you more than likely don’t control these sites or the content they contain and push down to your browser, it’s best to maintain the default High security setting.

The fix is actually pretty simple. Oracle provides you with a method by which you can specify sites that are not subject to the enhanced Permissions attribute requirement. To exclude your vCO server from these enhanced checks, perform the following steps:

  • Open the Java Control Panel and go to the Security tab. At the bottom of the dialog you will see the current Exception Site List. Click the Edit Site List button.
    JavaControlPanel

 

  • You should now see the Exception Site List dialog. Click the Add button.
    JavaExceptionList

 

  • In the exception entry dialog, enter the URL for your vCO Server. Note that the Java Exception list is protocol, address and port sensitive so you must specify https://<fqdn>:8281 for a default vCO installation.
    JavaAddExceptionSite

 

That’s it. Your vCO Client should now be working correctly and securely.

 

Leave a comment

2 Comments

  1. Thanks very very much. You saved lot of my time. It is unfortunate this page is listed as 5th Page on google

    Reply
  1. Newsletter: January 18, 2014 | Notes from MWhite

Leave a Reply

Your email address will not be published. Required fields are marked *