English

Problem: Security vulnerability raised on Java version shipped with Esri product

Description

Due to known security vulnerabilities with certain Java versions, earlier Java Runtime Environments (JREs) shipped with Esri’s products, ArcMap for example, raise security warning flags in some organizations that ultimately warn ArcMap for the Java version to be updated or the entire application to be removed from the system for the organization to be in compliance with security requirements.

The below approach details steps to guide users to be in compliance with their organization’s security requirements while maintaining their current install of Esri products. These steps are described with the instance of ArcMap installation, but can be used with other Esri products that ship with Java.

Cause

This is a known issue.

Solution or Workaround

  1. Locate the ArcMap Java installation directory:

    %AGSDESKTOPJAVA%\java

  2. Remove the 'java' folder and place it in a known and secure location to retain a back-up copy of the JRE that the software was shipped with.
  3. Uninstall Java (JRE) from the machine. This is the version of Java that does not meet the organization’s security requirements.
  4. Check to make sure that no other version of Java is running on the machine.

    a. Start a command prompt instance and type the string 'java -version'. If no version of Java is registered on the machine (referenced in the 'PATH' environment variable), the following response is returned:

    'java is not recognized as an internal or external command, operable program or batch file.'

    Note:
    This message does not necessarily mean that Java is not installed on the machine, it simply means Java is not installed in a well-known location (normally, C:\Program Files (x86)\Java\) and/or that the location is not registered with the 'PATH' environment variable.

    b. To ensure that all versions of Java are removed from the machine, go to the Windows Control Panel, Programs and Features, and uninstall all versions of the JRE still on the machine.

    Note:
    At this point, only the back-up copy of Java exists on the machine, the version that came with ArcGIS.

  5. Download the latest version (or the version required by the organization) of the JRE from Oracle's website, for example:

    http://java.com/en/download/index.jsp

  6. Double-click the downloaded file.
  7. When the installer displays, select the check box for 'Change destination folder' and click Install.
    [O-Image]
  8. a. In Windows Explorer, create a folder in the %AGSDESKTOPJAVA% location and name it 'java'.

    b. Open the java folder and create another one in it called 'jre' to create the following folder path:

    %AGSDESKTOPJAVA%\java\jre

  9. In the Destination Folder dialog box of the Java Installer, click Change. In the Browse for Folder dialog, select the install location created in the previous step, and click OK.
  10. In the Destination Folder dialog box of the Java Installer, click Next.
  11. In the next dialog, uncheck the option to install the add-ons, and click Next to complete the installation.
  12. Go to the location of the backed-up copy of the Java version that came with ArcMap, open the folder, select and copy the 'lib' folder to the base java location:

    %AGSDESKTOPJAVA%\java

    At this point there should be two folders in the base installation location, 'jre' and 'lib'.
  13. Check for the version of java by typing 'java -version' at the command prompt. If a message is returned that 'java is not recognized as an internal or external command, operable program or batch file', add the following path to the 'PATH' environment variable:

    %AGSDESKTOPJAVA%\java\jre\bin

    The Java version on the machine is now up to date, thus meeting the organization's security requirements while also maintaining that ArcMap uses the same version of Java.

    Note:
    The above approach assumes that the security flag is raised as a result of ArcMap attempting to use the version of Java it comes with, which may not meet the security requirements of the organization. Further information on Java security vulnerabilities is available from Oracle’s critical patch update advisory site