General Consultant Discussion

What to do, What to do????? http://www.chicagotribune.com/news/sns-rt-us-java-securitybre90a0s3-20130111,0,5990182.story

This was from a company we partner with: ""Our technical staff has seen a recent increase in an infection known as W32/Vobfus.GEP.worm. This infection is categorized as a worm and is contracted from the internet using an exploit in Java. This worm spreads via USB disk and/or network shares and tries to download then execute files from the internet. What does this mean to you? Java has built in security patches to the exploits of this worm. Please confirm your Java is on the latest version: Java Version 7 Update10. Instructions to check on your Java Version and update if necessary are located on our website.

But the Tomcat portions of Sage CRM require you to stay at Java 6 update 27...

So @PhilMcIntosh with that said - what do you do if a new client has updated their Java and now they want Sage CRM?

@PeterWolf - Is it just the CRM server that needs to stay at the old version of Java, or do the clients need to stay unpatched as well?

I'm checking with my team and with Sage people about this matter. Expect an unsatisfactory answer in an unsatisfactory time period. (Ie; don't hold your breath here).

A tech just called me and said Java 6 update 27 has 'most' of the patches covered and while they want people to update to the latest, not everyone will be able to. He also said look for more releases to come.

A good reference for disabling java in the different browers, if you can and not affect things like CRM: http://www.pcmag.com/article2/0,2817,2414191,00.asp

From Sage CRM Dublin (the authority on Sage CRM technical issues): Sage CRM works with all post 26 updates. The reason for 26 is that there was a timezone issue fixed in it that we wanted to use. I have installed many updates past that without a problem. The issue has never been Sage CRM compatibility but the fact that when you run the update it doesn't always work, which leaves your JRE in a corrupt state so NOTHING using JAVA will work, not just Sage CRM.

From Sage CRM Dublin (the authority on Sage CRM technical issues) 2: Just an FYI on the security issue mentioned below. This does not have anything to do with the way that we use JAVA. As explained in that article and what I have read on line it poses no threat to us what so ever. We do not use JAVA plugins in the browser at all, and that is where the vulnerability is described, follow the recommended steps to disable java plugins within your browser and Sage CRM should work just fine. We need to work together to make sure our customers and partners are informed correctly on these issues.

Basically they are saying: if the install works correctly, you won't have any problems with later patches. Not quite our experience but I'm having my guys check this out.

@PeterWolf - Is this from the same people from Dublin who sat there at Summit and claimed they had never heard of the Tomcat/Java problem? At any rate, the workstations can be given the latest Java updates without affecting Tomcat reliability on the server, correct?

I believe you are correct Phil.

So If I install the latest JAVA, I should be fairly secure? I have to download it to run the SSA Accuwage utility for electronic w-2 reporting.....

I think so - just don't install any of the crapware that Java will try to foist on you

Thanks.