Oracle has released three updates to Java. It is important to note that they contain several security changes. The releases are:
Java SE 7 Update 21
This release contains new features and fixes for security vulnerabilities, including a new Server JRE, JRE Installer linked with Uninstall Applet on Windows platform, changes to Security Dialogs and more. Oracle strongly recommends that all Java SE 7 users upgrade to this release.
Release Notes Download
Java SE 6 Update 45
This release contains fixes for security vulnerabilities.
Release Notes Download
Java SE Embedded 7 Update 21
This release is based on Java Development Kit 7 Update 21 (JDK 7u21) and provides specific features and support for embedded systems.
Release Notes Download
Security Changes
In addition to security fixes, Oracle has included new security features in this release. These are significant:
- Server JRE (Server Java Runtime Environment) - for the first time, Oracle is making available this version of the JRE for deploying Java applications on servers. This version includes tools for JVM monitoring and commonly required for server applications, but does not include browser integration (the Java plug-in). Based on the JDK but without the deployment features, it is available on Solaris, Windows and Linux platforms. For more information on installing this product, see Installation Instructions.
- Changes to Java Control Panel's Security Settings - In this release, low and custom settings are removed from the Java Control Panel(JCP)'s Security Slider.Depending on the security level set in the Java Control Panel and the user's version of the JRE, self-signed or unsigned applications might not be allowed to run. The default setting of High permits all but local applets to run on a secure JRE. If the user is running an insecure JRE, only applications that are signed with a certificate issued by a recognized certificate authority are allowed to run.
For more information, see the Security section of the Java Control Panel documentation.
- Changes to Security Dialogs - Specifically, all Java code executed within the client’s browser will prompt the user. The type of dialog messages the user sees depends upon the risk factors. Low-risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk. See the Java Source Blog IMP: Your Java Applets and Web Start Applications Should Be Signed.
Resources that will be helpful for both developers and end-users are: - What should I do when I see a security prompt from Java? (Java.com FAQ)
- Java Content in the Browser — Application Publisher Security Messages (Java.com FAQ)
- Java Applet & Web Start - Code Signing (OTN FAQ)
- Changes to RMI - From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false.
This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException.
For more information, see RMI Enhancements in Java SE 7 documentation.
- JDK for Linux on ARM - this release includes support for JDK for Linux on ARM. The product offers headful support for ARMv6 and ARMv7.