1

The motivation of my question is simple: Unfortunately Oracle stopped development of Java 6 and will not provide any additional build. If Oracle will discover any security issue they will fix it only in Java 7. We have big project that developed in Java 6 and I do not have resources to convert it to Java 7.

So, I want to compile the code in last build of JDK 6 (6u45) and to run it in most updated build of JDK 7.

Is in this case my byte code will be open to vulnerability fixed in JDK 7?

Added

The example of Oracle Java SE Critical Patch Update: http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

Unfortunately, the next security patches will be not be applied to JDK 6.

So, the updated question is: Should I run my code using the latest JRE 7 without recompile my Java 6 byte code? Or should I recompile my code using latest JDK and also to run it using the latest JRE?

Michael
  • 10,063
  • 18
  • 65
  • 104
  • 2
    We can't answer this question unless we know what the vulnerability is. – tbodt Aug 21 '13 at 17:54
  • Chances are that it'll be fixed at the JVM level, which means it'll be fixed when you run the bytecode under JVM7/JDK7. But it's impossible to say definitively for all cases. – yshavit Aug 21 '13 at 17:56
  • The vulnerability could be in javac, the JVM, or in JDK classes. In some cases it could involve using (vulnerable) API X vs ((maybe) invulnerable) API Y, and unless you change your source you will either still be vulnerable or will simply not function. – Hot Licks Aug 21 '13 at 17:59
  • 4
    I have not read any news that say "recompile your code" - just "update your JRE to X because version Y is vulnerable". – zapl Aug 21 '13 at 18:02
  • @HotLicks If it's in the JDK classes, you won't need to recompile, since the JVM installation supplies those. And if it's in a third-party library, it doesn't apply to this question, which is specifically about Oracle discovering issues in Java. A security hole in javac is of course possible, but I don't remember ever hearing of one. – yshavit Aug 21 '13 at 18:11
  • There are any number of possibilities. Simply based on statistics/probabilities, likely just using the new JDK is sufficient, but it's hard to say that with any certainty. – Hot Licks Aug 21 '13 at 18:28

1 Answers1

4

If the vulnerabilities are in the virtual machine or the API, it isn't open to the vulnerability if you run it with Java 7. If it is in the compiler, you can fix the vulnerability by compiling it with Java 7.

tbodt
  • 16,609
  • 6
  • 58
  • 83