I patched Java on a bunch of systems this week, by hand. It was the first time I’ve done such a thing since probably sometime in 2007. So no one would blame me if it didn’t go 100% as planned, and, predictably, it didn’t. I did eight systems, and it worked on all but the first and last. Of course I didn’t discover that it failed on the first one until later in the day. Java itself seemed to work OK, but the log collector that requires Java didn’t.
The log collector is the only reason we have Java installed, so that’s not OK, of course.
The quick fix is to uninstall the new Java and reinstall the old one, then double-check the version number. That worked. But it’s not ideal.
Nothing drove that home like the end of the day. At the end of the day, two penetration testers were talking about exploiting Java.
“Keep your exploits away from my log collectors,” I said. “They’re vulnerable.”
They laugh-groaned. They understood. It happens. It happens a lot.
There are things for me to try, but at the beginning of the day, not the end. I’ll do that. Upgrading the log collector might do it. Implementing whitelisting would go a long way if I couldn’t do anything else.
That’s the life of a security professional. Make the systems just as secure (and available) as you can. Some days you can have it all, but most days you can’t. You do the best you can, and try to make tomorrow better.
It’s all I can do.