Forum Thread: Updating bundled JRE

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Oracle Corporation
And, this specific program:
Oracle Java JRE 1.5.x / 5.x

This thread has been marked as locked.
lamaslany Updating bundled JRE
Member 9th May, 2009 22:54
Ranking: 22
Posts: 19
User Since: 8th May, 2009
System Score: N/A
Location: N/A
While I have JRE 1.6.0 installed for most of my Java runtime requirements I do have an application that has a bundled version of the Java runtime environment (JRE 1.5.0) that is being flagged as a security risk. As the application in question uses the older JRE I believe that the risk it poses is real.

What is the recommended way to update a bundled version of the Java runtime environment?

Many thanks,

Maurice Joyce RE: Updating bundled JRE
Handling Contributor 9th May, 2009 23:28
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
U should try & update the programme via the programme vendors site.

If there are no updates I would contact their support & ask them to fix the insecurity.

Could prove difficult if a "freebie" programme but paid for version support should assist U to fix it.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+0
-0
lamaslany RE: Updating bundled JRE
Member 9th May, 2009 23:40
Score: 22
Posts: 19
User Since: 8th May 2009
System Score: N/A
Location: N/A
I am running the latest version available and have already left a message on their forum asking for clarification on how best to proceed.

I suppose it is a 'freebie' in that it is open source.

If all else fails I suppose I could try and compile the source rather than relying on the pre-compiled binaries.

I just wondered whether there was an easy way to update a bundled instance of JRE... :)
Was this reply relevant?
+0
-0
lamaslany RE: Updating bundled JRE
Member 2nd Jul, 2009 10:18
Score: 22
Posts: 19
User Since: 8th May 2009
System Score: N/A
Location: N/A
In the end I have settled on the use of a symbolic link. By using a symlink it is possible to use the system-wide copy of JRE rather than an unmaintained bundled JRE.

In my case there was some added complexity as the app does not work with JRE 1.6.x. I downloaded and installed the latest JRE 1.5.x from the Sun website: http://java.sun.com/javase/downloads/5/jre.

1. Stop the application(s)/service(s) that rely on the bundled JRE
2. Locate the bundled JRE and rename the folder (I use a .OLD extension). This allows you to quickly re-instate the old JRE if you encounter problems.
3. Run: MKLINK /D /J "<path of the bundled JRE>" "<path of the system wide JRE>"

Now restart the application(s)/service(s) and see if everything is still working! :)

If you need to roll back the change simply stop the application(s)/service(s) and rename the original bundled JRE to it's original name.


As an example: Zimbra Desktop

TASKKILL /F /IM zdesktop.exe
TASKKILL /F /IM zdclient.exe
RENAME "%localappdata%\Zimbra\zdesktop\jre" "%localappdata%\Zimbra\zdesktop\jre.old"
MKLINK /D /J "%localappdata%\Zimbra\zdesktop\jre" "%programfiles%\Java\1.5.0_19"

A couple of things to note:
* The above assumes default paths for Zimbra Desktop and the JRE.
* You do not need to use environmental variables - full paths are fine.
* If run on a x64 version of Windows %programfiles% points to the x64 programs and not the x86 (32-bit) programs. This is an issue if you need the x86 JRE on a x64 Windows OS. (such as Zimbra Desktop on Windows x64).
* If you already have JRE 1.6.x installed when you install JRE 1.5.x the latter will hi-jack the java-specific references. Simply over-installing JRE 1.6.x fixed the issue for me. I am sure that there is a less clumsy way to do this but I was disinclined to investigate further.
* If you simply rename the bundled JRE Secunia PSI will likely detect it as insecure. You can either delete it, tell Secunia to ignore it (should be safe as none of your apps should know how to reference it) or you could archive it to a password-protected file. This means Secunia PSI would be unable to read the archive and so not find the old JRE as an insecure application. It also has the benefit that you can extract the JRE again should you discover a problem with the new JRE.
Was this reply relevant?
+0
-0
lamaslany RE: Updating bundled JRE
Member 12th Aug, 2009 10:33
Score: 22
Posts: 19
User Since: 8th May 2009
System Score: N/A
Location: N/A
Last edited on 12th Aug, 2009 10:34
Sun have released another update since my last post so I thought I'd document my procedure here (not least so I can refer back to it myself should I forget!)

The following procedure is based on the Zimbra Desktop example of my last post where a Directory Junction has already been created:

Close the Yahoo! Zimbra Desktop client
> TASKKILL /F /IM zdclient.exe

Stop the Yahoo! Zimbra Desktop Service
> NET STOP "Yahoo! Zimbra Desktop Service"

Uninstall the old JRE 1.5.0_19

Install the new JRE 1.5.0_20
> note: recommend the Custom install and electing not to register with Microsoft Internet Explorer or Mozilla and Netscape

Remove the old directory junction
> rd "%localappdata%\zimbra\zdesktop\jre"

Create the new directory junction
> mklink /D /J "%localappdata%\zimbra\zdesktop\jre" "%programfiles(x86)%\Java\jre1.5.0_20"

Start the Yahoo! Zimbra Desktop Service
> NET START "Yahoo! Zimbra Desktop Service"

Start the Yahoo! Zimbra Desktop client
> "%localappdata%\zimbra\zdesktop\win32\prism\zdclie nt.exe"



Note: if on a 32-bit version of windows the environmental variable to create the new directory junction should be %programfiles% rather than %programfiles(x86)%
Was this reply relevant?
+0
-0
RE: Updating bundled JRE
Member 13th Sep, 2009 11:44
Score: -2
Posts: 3
User Since: 16th Feb 2008
System Score: N/A
Location: N/A
on 9th May, 2009 22:54, lamaslany wrote:
While I have JRE 1.6.0 installed for most of my Java runtime requirements I do have an application that has a bundled version of the Java runtime environment (JRE 1.5.0) that is being flagged as a security risk. As the application in question uses the older JRE I believe that the risk it poses is real.

What is the recommended way to update a bundled version of the Java runtime environment?

Many thanks,

Was this reply relevant?
+0
-0

This thread has been marked as locked.