OpenJDK Security – Is OpenJDK Vulnerable to 0-Day Exploits?


I was curious to know if OpenJDK is also vulnerable to the Zero-Day Exploit that is currently afflicting Java 7 because of which experts are telling people to disable Java until a solution is found on all operating systems.

Best Answer

update: see Ubuntu Security Notice USN-1693-1

It was discovered that OpenJDK 7's security mechanism could be bypassed via Java applets. If a user were tricked into opening a malicious website, a remote attacker could exploit this to perform arbitrary code execution as the user invoking the program.

Probably not for the specific exploit being used in the wild for Oracle's Java 7 plugin. These exploits are usually specifically crafted to run with a specific set of software.

However, OpenJDK can be vulnerable in a similar way, if it's because of a design/architecture error in the way Java works in a browser. I could not find any details on it (at the time of writing) to support that statement with facts, but previous vulnerabilities were specifically for Oracle's JRE/JDK while OpenJDK has its own.

Please note the difference between an exploit and a vulnerability in this context.

Also note that you are probably affected to some extent if you're running Oracle's JRE/JDK on Ubuntu. However, the exploits are probably targeted for Windows hosts, and Oracle's JRE/JDK is no longer distributed by Ubuntu, due to licensing issues (Oracle doesn't allow redistribution anymore).