Best Practice for Installing Java on Ubuntu / is it secure?
Much has been said about the security risks associated with Java. However the burp suite (pen test) depends on Java.
Is it secure to install Java? if so, how to properly do it?
My Ubuntu is a web server and I don't need Java for web services - only for burp suite.
Java related security considerations
I think the problem with Java security is first and foremost related to:
- Outdated insecure versions
- Java running as applets within your browser makes you vulnerable to exploits coming from remote.
So to mitigate this you should:
- Install Java from a repository (so you can update with
sudo apt-get update && sudo apt-get upgradelater) - Don't install the Java-Plugin
- .. or disable it with NoScript(Firefox) / NotScript(Chrome)
Since you are installing Java on a server and you won't run a browser there, you will only have to deal with the first problem: So update Java regularly (which you should do with any installed software anyway).
How to install Open-Java
First enable the universe repository. If you haven't done it already.
Then you install Java with
sudo apt-get install openjdk-7-jre
This will install Java without the Java-Plugin.
How to install Oracle-Java
To get an automatically update-able Java from Oracle, you can you use the PPA provided from webup8.
sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java7-installer
This article has the details about the Oracle-Java PPA. Unfortunately I don't know how to not install the Java-Plugin with this PPA.
For installing Latest Oracle Java:
To check ubuntu system architecture installed
$ uname -m
or
$ arch
Download the Oracle Java JDK for Linux. Make sure you select the correct compressed binaries for your system architecture 32-bit or 64-bit (which end in tar.gz).It will be downloaded in Downloads folder in home.So first open nautilus with sudo as
sudo nautilus
and make a folder java under
/usr/local/
and then folow the following commands:
cd /home/"your_user_name"/Downloads
sudo cp -r jdk-7u40-linux-x64.tar.gz /usr/local/java
cd /usr/local/java
sudo chmod a+x jdk-7u40-linux-x64.tar.gz
sudo tar xvzf jdk-7u40-linux-x64.tar.gz
At this point you should have two uncompressed binary directories in /usr/local/java check it by
ls -a
Now edit the system path file by
sudo gedit /etc/profile
scroll down to the last and add following lines
JAVA_HOME=/usr/local/java/jdk1.7.0_40
PATH=$PATH:$HOME/bin:$JAVA_HOME/bin
export JAVA_HOME
export PATH
Save and exit and write these commands in terminal to Inform your Ubuntu Linux system where your Oracle Java JDK/JRE is located.
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/local/java/jdk1.7.0_40/bin/java" 1
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/local/java/jdk1.7.0_40/bin/javac" 1
sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/local/java/jdk1.7.0_40/bin/javaws" 1
sudo update-alternatives --set java /usr/local/java/jdk1.7.0_40/bin/java
sudo update-alternatives --set javac /usr/local/java/jdk1.7.0_40/bin/javac
sudo update-alternatives --set javaws /usr/local/java/jdk1.7.0_40/bin/javaws
. /etc/profile
Now everything is installed just check it by
java -version
the output must be like
java version "1.7.0_40"
Java(TM) SE Runtime Environment (build 1.7.0_40-b40)
Java HotSpot(TM) Server VM (build 23.1-b03, mixed mode)
Congratulation now its installed.