JInitiator is obsolete and I should reject it on grounds of security, right?

Question

I'm getting a lot of flack and resistance from developers for not allowing a large (200+ users) roll-out of Oracle's JInitiator (http://www.oracle.com/technetwork/testcontent/jinit-084453.html) as substitute Oracle Forms clients. JInitiator is an old JRE version put out by Oracle to get around bugs in early versions of the Java browser plugins. Oracle ended support for it in 2008 and advises against using it.

We keep patching the JRE on the desktop and this disrupts business each time because it blows away required dlls that currently live in the JRE/bin folder. We have a ready solution to this problem: Oracle forms server can be configured to drop the dlls in another folder.

I wanted confirm my thoughts about JInitiator: It is an ancient version of the Java browser plugin that probably has many of the same flaws as the current Java browser plugins. Just because there aren't any CVEs on it doesn't mean it is safe. If it got the same attention the Java plugin is getting it wouldn't stand up.

Thank you for your attention whether you back me up or not.

score 5 · Accepted Answer · answered Mar 20 '13 at 13:58

JInitiator is based on Sun (now Oracle) JVM implementation, so it is a safe bet that every single vulnerability which was in Sun/Oracle JVM before 2008 (when the last JInitiator version was produced) but discovered only afterwards applies to JInitiator. Lack of CVE only comes from disinterest on the part of people who fill CVE (there is no glory in pointing out security flaws in a product which has been discontinued five years ago).

Note that some vulnerabilities are novelties, e.g. the one described on this page uses a feature introduced with Java 7 -- it would not work on JInitiator. You may want to go through this list: vulnerabilities which were discovered after 2008, but impact JRE 1.3 and later, have a high probability of impacting JInitiator as well. You only need to find one working exploit demo to have a convincing case that JInitiator should be rolled out ASAP.

and by "rolled out" you mean out the door, right? – mcgyver5 Mar 20 '13 at 14:06 — mcgyver5, Mar 20 '13 at 14:06
1) find obsolete products 2) create CVEs 3) profit – mcgyver5 Mar 20 '13 at 14:30 — mcgyver5, Mar 20 '13 at 14:30

score 3 · Answer 2 · edited May 23 '17 at 12:40

Update (June 2015) :

Oracle Forms 11g (the latest version) is now certified with Java 7 (or 1.7; the naming convention chops and changes with Java !) and I believe with the latest Java 8 too. I can certainly confirm that an Oracle Forms 11g application works with both of these versions, with no tweaks required on the JRE client side.
Oracle Forms 10g (now de-supported) can be made to work with both Java 7 and 8 - this means, for sites which have to use Oracle Forms 10g (legacy systems, slow upgrade path, etc), you can at least ensure that they are using the latest JRE client.

The steps to achieve compatibility with the newer Java clients for Oracle Forms 10g are, however, quite brutal - you have to override the vendor information for the JRE client (otherwise it thinks you are running an even older version of Jinitiator) and update any JARs used by your application to bring them in-line with the current requirements for signed JARs; this includes the Oracle JARs which are part of the Oracle iAS 10g web server (the platform used to run Oracle Forms 10g).

The steps needed to override the vendor information in the JRE client are covered in this Stack Overflow response : https://stackoverflow.com/a/24140005/2335347

To update the JARs, the existing Oracle signatures need to be removed, the manifests updated, then the JARs need to be re-signed with your own code signing certificate; we use one from Comodo which works with no problems.

It's a lot to do, but once done your legacy Oracle Forms 10g system should work correctly with the latest JRE client, with no security warnings for your end-users.

Welcome to Security.Stackexchange. and Nice addition to this question, well done. (+1) — LvB, Jun 02 '15 at 11:16

score 1 · Answer 3 · answered Apr 11 '13 at 02:13

Yes, as @Tom Leek said, migrate away from JInitiator, it is worse than the alternatives and old jre exploits should work against it.

BUT:

The news just gets worse from here.

Oracle Forms is only certified for running on 1.6 JRE, which is now not getting updates.

And sometimes JRE 1.7 updates can blow away any 1.6 installs (current advice from Oracle is to turn off automatic updates of Java on unmanaged windows).

So, you have just gone down the rabbit-hole, and the developer of java and the developer of Oracle Forms are making conflicting decisions (of course they are both Oracle corp).

Welcome to my world.

JInitiator is obsolete and I should reject it on grounds of security, right?

3 Answers3