Java concerns with Ignition

Curlyandshemp · April 4, 2022, 2:43pm

I have a customer that has concerns about Java and the security concerns around Java. Is there a white paper or article that can address this?
This customer’s IT department is hestitant to install Ignition on their server.

Kevin.Herron · April 4, 2022, 3:03pm

pturmel · April 4, 2022, 3:12pm

That’s a really old document. Even pitches java webstart as if it is current. Probably time to update it. A pointer to the log4j statement might be more helpful.

Kevin.Herron · April 4, 2022, 3:14pm

Yep, probably should…

JordanCClark · April 4, 2022, 3:14pm

There was an announcement the last Thursday (2022-03-31, as of this writing) on a zero-day using Spring Framework. I don’t know if it applies to anything IA related.

Kevin.Herron · April 4, 2022, 3:15pm

It does not.

JordanCClark · April 4, 2022, 3:17pm

Didn’t think so, but I’m sure there will be a flood of new threads…

EDIT: Link to the Log4J statement

Kevin.Herron · April 4, 2022, 3:19pm

Perhaps. I wrote a one-line response last week and we’re prepared with an official response if necessary, but unless inbound inquiries ramp up to the log4j CVE levels I don’t think we’ll explicitly announce anything.

So far there’s been almost no chatter about this.

PGriffith · April 4, 2022, 3:30pm

The overall tl;dr on Java “security” is that it’s a lot of FUD that mostly dates back to when applets were an extant thing. In that context, running arbitrary code on your machine that can freely access your filesystem just by visiting a webpage was terrible for security…but it’s not really Java that’s culpable, but the entire notion of applets.

Ignition 8.X versions ship with their own Java distribution (an up-to-date patch release of Java 11 at time of Ignition release). This Java distribution isn’t “installed” onto the OS of the gateway, Vision clients, designers, or Perspective sessions in any way; it’s just a flat series of files made available to the parts of Ignition that need it.

mathieurleblanc33 · April 6, 2022, 6:26pm

I have 2 clients who are asking if Ignition is impacted by Zero-Day RCE Vulnerability. I was able to provide them IA’s official response in regards to the Log4J and this satisfied their IT department. Do you have any official or un-official comments if Ignition is impacted?

Kevin.Herron · April 6, 2022, 6:28pm

This isn't specific enough to answer your question.

This is fine, but they may have been asking about the more recent one involving Spring Framework.

In either case Ignition is not impacted.