Reputation: 945
Explain the difference between Java *client* security concerns and *server* security concerns
I see a lot of Java CVE's related to running malicious applets - but I rarely see CVE's that affect the server side component of the JVM. Example: http://www.f-secure.com/v-descs/exploit_java_cve_2012_4681_h.shtml
Can anyone explain the difference with examples or sources (maybe a list of server side vs client side cves?) comparing the two?
Upvotes: 4
Views: 729
Answers (1)
Reputation: 11953
Generally speaking you don't see many CVEs that affect the server side because the server side virtually never runs user provided code (or an attacker's code). The vulnerabilities with server side are mostly failure to properly handle input, and issues with configuration, so not Java's fault.
The client side however (applets being a great example) has lots of CVEs because the user's local JVM is actually running byte code that was provided by the attacker. Vulnerabilities in the JVM can then be triggered and exploited. These same vulnerabilities are usually present on the server side, but they aren't accessible to attackers.
Another reason you don't see many server side CVEs is because most of the server side vulnerabilities are application/implementation specific, and only affect the one application. There are quite a few CVEs for big web apps like WordPress, however.
Upvotes: 4
Related Questions
- Real differences between "java -server" and "java -client"?
- How JVM works internally
- Server as both client and server in Java
- Simple client - server explanation - Java
- Differences in Java Security Providers
- what is the relationship between Application server and JVM?
- Java questions regarding client server model
- writing secure clients in Java
- Client server application - Best approach in Java
- Client Server Apps+java