Hacker News new | past | comments | ask | show | jobs | submit login

Honestly I never needed any java updates on server side. I'm sure that they are fixing something important, but I've yet to encounter any bugs. My recent projects should run on Win32 and given that they dropped support, I won't migrate from Java 8 even if it won't be updated.



You may not have encountered any bugs but what about the vulnerabilities they’re fixing - do you not care to have those fixes?


Can you provide examples of those vulnerabilities? All vulnerabilities I'm aware of are from Java applet technology and not applicable to server applications. The only vulnerability that I can remember is something about parsing float, but even that was very low risk.


All those TLS/SSL implementation vulnerabilities with fancy names like POODLE, for example.

https://www.oracle.com/technetwork/topics/security/poodlecve...

There's a lot more but it of course depends on the subset of the JDK that you're using. Look over the release notes for historical JDK updates.


I don't use TLS and even if I would use it, I would use nginx frontend. My subset is fairy common, Spring+JDBC, sometimes Hibernate, sometimes pure servlets, but basically all interaction between outer world is via HTTP interface implemented in Tomcat.


A targeted attack would probably hole you fairly easily then. Cleartext means you’re likely open to all sorts of replay attacks and data leaks, which can then be escalated to exploit vulnerable libs and jvm.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: