Last Updated on November 29, 2018 by Dave Farquhar
I patched Java on a bunch of systems this week, by hand. It was the first time I’ve done such a thing since probably sometime in 2007. So no one would blame me if it didn’t go 100% as planned, and, predictably, it didn’t. I did eight systems, and it worked on all but the first and last. Of course I didn’t discover that it failed on the first one until later in the day. Java itself seemed to work OK, but the log collector that requires Java didn’t.
The log collector is the only reason we have Java installed, so that’s not OK, of course.
The quick fix is to uninstall the new Java and reinstall the old one, then double-check the version number. That worked. But it’s not ideal.
Nothing drove that home like the end of the day. At the end of the day, two penetration testers were talking about exploiting Java.
“Keep your exploits away from my log collectors,” I said. “They’re vulnerable.”
They laugh-groaned. They understood. It happens. It happens a lot.
There are things for me to try, but at the beginning of the day, not the end. I’ll do that. Upgrading the log collector might do it. Implementing whitelisting would go a long way if I couldn’t do anything else.
That’s the life of a security professional. Make the systems just as secure (and available) as you can. Some days you can have it all, but most days you can’t. You do the best you can, and try to make tomorrow better.
It’s all I can do.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.