Java is a very popular language for application development for many reasons, including speed and portability. Java applications are compiled to Java bytecode which is in turn run by the Java Runtime Environment, more commonly known as the JRE. To avoid problems from the JRE not being installed or the wrong version being installed, many applications install their own copy of the JRE in their own folders.
There are many problems with this approach including
- never updated to fix security patches
- may be many years out of date with many known security issues
- almost guaranteed not to be configured to be secure
Another case is believing that you are safe from known java vulnerabilities because you keep your JRE up to date. However, malicious code or a malicious actor can use an older, insecure JRE residing on your machine that you're unaware of. An analogy would be a heavily secured front door but an unlocked window.
The solution begins with independently installing the latest version of the JRE SE 8 and if possible applying the STIG. The STIG can be found here at STIG Viewer. Even if you don't apply the STIG you should still set up deployment.config and deployment.properties files as detailed in the STIG. The next step is to locate all versions of the JRE by searching for the file 'java.exe'. For each 'java.exe' run 'java.exe -version' and record all the locations and versions (1.8 is version 8). For example, the Arduino IDE comes with its own JRE located in 'C:\Programs Files (x86)\Arduino\java\' and the version is 1.8.0_191 which is Java SE 8 Update 191 and was released on Oct 16th, 2018. As of Jan 10th, 2021, the latest version is Java SE 8 Update 271. You can find the 234 CVE's associated with Update 191 at the National Vulnerability Database.
If you find versions 9, 10, or 11 you may need to install JRE SE 11 as versions 9 and 10 are no longer supported. Anything later than 11 install the latest version of the JRE. Some Java 8 programs don't work with later versions so that is something to be mindful of. As of January 2021, only the Java 8 and 11 JREs have long-term support and therefore should be used if possible. Further information is at the Java Release FAQ page.
One by one, back up and delete the java folders, testing each application as you do so. If the applications don't work, it may mean they need a specific major version e.g. 8, 9 , 10.
Another possibility is that the application needs not just the JRE but the Java Development Kit (JDK) as well. The JDK includes tools to build java programs including javac.exe which is the java compiler. If it does, then there are many more security more considerations.
If the system does not have strong application whitelisting then having the JDK on a system allows the user to compile java source code they have written, but has not been evaluated, and run that java code on the system. In non-development environments, systems should not have the JDK (or any other development kit) kit installed useless under extraordinary situations. That is a topic for another post and another time.
Out-of-date Java runtimes are a large and common security risk on a PC but the preceding steps should make having Java on your machine much less dangerous and more manageable.
