Does Java with SPARK and Openfire pose a Security Risk?

I am trying to get Spark approved for use but I am being told that because of the applications being used with Java it poses a security risk. Can they be used with out Java? Can the messenger be used where it will never need to access the outside network? Are there other misconceptions regarding security that can be easily remedied?

Anything exposed to the internet can be a security risk.

However, in this case, Most of java security risk is associated with java’s browser pluggins, and them not being updated. Much like flash vulnerabilities… Many applications run on java…both opensource and proprietary. If you following proper patch management and implementing other mitigation (av, firewalls, ids,ips,etc), than I’d say the risk is min if the software is from a trusted source.

No, Spark and Openfire can’t run without Java. You can remove the bundled version of Java (jre folder inside both Openfire and Spark installation folder) and install your own latest version (with all security patches) of Java. Openfire should work with 8-11 versions of Java. For Spark i would still use latest version of Java 8, although it seems to run with 11, but some elements might not work correctly.

Spark/Openfire can be used in internal network, they do not require internet connection. If you need plugins for Openfire, you can download and install them in a few other ways other than from online Plugins page in Admin Console.

In theory everything can pose a risk. Bundled Java is only used inside the application, but maybe it is still possible to somehow send a malicious link to Spark that would exploit Java’s vulnerability. Then again, if you are using it only internally, then the risk is lower. We have never heard about Java vulnerabilities being exploited in the wild in the context of Spark/Openfire.

1 Like

Java consistently ranks within the top most popular programming languages and runtime environments. It is used to power a good percentage of the internet, is in use by all industries, including military and law enforcement, backed by several vendors and a huge community.

Java is not any more or less secure than any other modern framework or programming language. Obviously, as with any other software based product, an installation needs to be managed, updated, etc.

Java-in-the-browser, which is a notable and important exception, as @speedy already hinted at, but neither Openfire or Spark makes use of that.

1 Like