Advice Request Is Java JRE a security risk?

[Divine_Barakah]

Hello!

I am currently using LibreOffice. Zotero integration requires Java Runtime to be installed. Is installing Java JRE 8 a security risk?

 

[Kongo]

As long as you disable Java within your browser you should be fine I guess.

 

[sepik]

Everything based on Java (not javascript) should not be installed.

 

[Nightwalker]

Java is always a security risk, but like @SecureKongo posted its risks can be mitigated and my advise is to always avoid opening JAR files.

Unfortunately the solution of not installing Java isnt a solution at all, there are many applications that need it to properly run, in my case my career as a lawyer depends on it (the A3 digital certificate that we need to confirm our identity uses Java).

 

[Divine_Barakah]

Everything based on Java (not javascript) should not be installed.

Could you please elaborate more on it?

 

[sepik]

@The Cog in the Machine
It's a security risk? If a hacker can get an access to your company lan, he can use installed JAVA binaries to make some nasty things. Which comes to mind to not use Visual Studio code aka vbs and so on, which are sure allowed in a corporate networks.

 

[Kongo]

@The Cog in the Machine
It's a security risk? If a hacker can get an access to your company lan, he can use installed JAVA binaries to make some nasty things. Which comes to mind to not use Visual Studio code aka vbs and so on, which are sure allowed in a corporate networks.

In the end if a hacker wants to reach his goal he will find ways with and without Java. A targeted attack on Java vulnerabilities however can significantly get mitigated by disabling the Java plugin within browsers and not opening JAR files as @Nightwalker stated above. Taking those precautions will make Java not much less insecure than other wide spread code. Not using it isn't an option for a majority of people.

 

[Divine_Barakah]

Thank you all for your help and advice. I am still using Mendeley and, unfortunately, their Desktop version, which supports LibreOffice, rarely receives updates and it will not receive any new features. They developed a new version, Mendeley Reference Manager, which does not support LibreOffice.
Zotero does support LibreOffice, but it did not work on my system for I do not have Java installed. Now my question is, and I know you might not have an answer for it, does Mendeley require Java too, but Java is embedded in their installer? What if I migrate to Zotero and install Java JRE 8 and install OS Armor (I am using McAfee and F-secure on my systems and OS Armor seems to play well with the two solutions)?

 

[Divine_Barakah]

After doing some research, Mendeley extension is written in python, so it is the better option here from a security point of view, right?

 

[Local Host]

@The Cog in the Machine
It's a security risk? If a hacker can get an access to your company lan, he can use installed JAVA binaries to make some nasty things. Which comes to mind to not use Visual Studio code aka vbs and so on, which are sure allowed in a corporate networks.

I wonder why people are confusing Java with Javascript and Visual Studio Code with VBS.

They both don't rely on either to run, and use different languages, scripts.

After doing some research, Mendeley extension is written in python, so it is the better option here from a security point of view, right?

Yes Python is more secure than Java, and contrary to Java, Python is a language developers actually like.

Java is pretty much the black sheep every good developer hates.