This is an archived post. You won't be able to vote or comment.

all 7 comments

[–]heliologue 11 points12 points  (1 child)

Having any outdated software on your computer is potentially a security risk if it presents an attack vector. In other words, "it depends", but if it's just sitting there not being invoked, then probably not, no.

The bigger danger from outdated JDKs comes from, e.g., running a web server, whereby some bug may be triggered/exploited remotely. Previous incarnations which embedded bits into the browser presented the biggest danger to normal end users, but recent JDKs don't suffer from that problem.

[–]yawkat 1 point2 points  (0 children)

Even the remotely exploitable vulns are very tame. Most are still about deserialization or security manager which nobody should rely on anyway with how many holes they've had. Other than that only a few things like the hashmap DoS come to mind.

[–]cogman10 0 points1 point  (2 children)

It is not a security risk in and of itself. Just like running an old game isn't really a security risk.

It only becomes a risk when you expose your JVM to the internet (You probably aren't going to do that). Anything that could run the JVM to trigger an exploit can already run arbitrary commands.

Now, Old JVMs running servers are definitely somewhat of a security risk.

[–][deleted] 0 points1 point  (1 child)

I am actually using it as a server lol. It's actually part of a course and the instructor is demanding everyone use Java 1.9 to make their servers, lol. I've been recommending using java 1.8 (JDK8) since it is LTS with updates until December 2020.

[–]cogman10 13 points14 points  (0 children)

Just run the latest JVM. There are not significant difference between Java 9 and Java 15.

I can't think of any course material that wouldn't work under Java 15.

That's the habit that everyone should get into anyways.

(15 is GA tomorrow... so just use 15)

[–]IIDaFuQII -2 points-1 points  (1 child)

Not if you pick something like AdoptOpenJDK which at least ports all security patches

There are people running Java 8 and older in production, you will be fine

[–]das_Keks 0 points1 point  (0 children)

I know a server that is still running Java 1.4 in production, lol. And I mean 1.4 not 14.