CF7 & JRE security updates?

[brentil]

CFMX 7.0.2 with the latest patches runs JRE 1.4.2_09 at it's core. There have
been several Critical security issues with the JRE versions CFMX7. All of the
Security bulletins from SUN suggest upgrading to 1.4.2_13 to protect yourself
from these vulnerabilities.

The main issue for me is we run machines that require that their patch level
meet the 1.4.2_13 to meet our certification requirements. Is it possible to
update the CF core to the newer version safely/reliably or does Adobe plan to
address these issues with their application in a timely fashion since there are
several agencies that must meet this same security requirement to stay in good
standings?

[ke4pym]

You can configure CF to use an external JRE. Depending on your version you'll either do it in the admin or in your jvm.config file.

[brentil]

[q]Originally posted by: ke4pym
You can configure CF to use an external JRE. Depending on your version you'll
either do it in the admin or in your jvm.config file.[/q]

The problem is the insecure version of the application is still on the
machine. For the machine to meet DoD requirements we must fulfill a required
set of standards, and the fix for this issue is in the list.

[ksmith]

On windows machines you must upgrade to the JDK version of the JRE, you cannot
use the JRE version. It lacks the server JVM required.
Unix/Linux machines generally install the JRE with a server JVM option.
CFMX 6 & 7 have already been certified on 1.4.2_11 and run fine. We would not
expect any issues using the 1.4.2_13 JVM and will clearly support that
configuration since it is required to resolve security issues.
I am not sure if and when we will certify a newer JDK than 1.4.2_11. It is
impossible to certify every point release of ever JVM (OS, chipset, etc...)

[brentil]

[q]Originally posted by: ksmith
On windows machines you must upgrade to the JDK version of the JRE, you cannot
use the JRE version. It lacks the server JVM required.
Unix/Linux machines generally install the JRE with a server JVM option.
CFMX 6 & 7 have already been certified on 1.4.2_11 and run fine. We would not
expect any issues using the 1.4.2_13 JVM and will clearly support that
configuration since it is required to resolve security issues.
I am not sure if and when we will certify a newer JDK than 1.4.2_11. It is
impossible to certify every point release of every JVM (OS, chipset, etc...)[/q]

Thanks for the reply. Following the DST information we've taken and upgraded
out CFMX 7.0.2 to now use the 1.4.2_13 version of the JDK. We've had our
development server running it for about a week now, so far our developers have
not run into any issues. I even removed the old JRE dir from inside of CFMX
7.0.2 to test if that could be done as well. So far no issues from that either.

[brentil]

Just wanted to mention we've been running 1.4.2_13 on our development machine since my last post with no issues. We've rolled out the same version to 4 production servers with no issues as well.