Explain the difference between Java * client * security considerations and server * security issues *

Question

Explain the difference between Java * client * security considerations and server * security issues *

I see a lot of Java CVEs related to launching malicious applets, but I rarely see CVEs that affect a component on the server side of the JVM. Example: http://www.f-secure.com/v-descs/exploit_java_cve_2012_4681_h.shtml

Can someone explain the difference with examples or sources (maybe a list of server sides and client side cves?) By comparing these two?

+4

java security jvm

Josh Jun 06 '13 at 1:03

source share

1 answer

Freedom_ben · Accepted Answer · 2013-06-06T03:53:40+0000

Generally speaking, you don’t see many CVEs that affect the server side, because the server side almost never runs the user-provided code (or the code of the attacker). Vulnerabilities on the server side are basically unable to correctly handle data input, as well as configuration problems, so it is not a Java error.

However, the client side (applets is a great example) has a lot of CVEs because the user JVM actually works with byte code that was provided by the attacker. Vulnerabilities in the JVM can be launched and exploited. These same vulnerabilities are usually present on the server side, but they are not accessible to attackers.

Another reason you don't see a lot of CVEs on the server side is because most server-side vulnerabilities are application / implementation specific and affect only one application. However, there are quite a few CVEs for large web applications such as WordPress .

Explain the difference between Java * client * security considerations and server * security issues *

More articles: