Java 7 update 51 (January, 2014) will include two security changes that will affect many Kronos® customers. Will it affect you and how? Must you perform this mandatory update?
Oracle released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers. The security vulnerabilities only affect Oracle Java 7 versions. Oracle is recommending that the updates in this Security Alert be applied as soon as possible. This to avoid the possibility of unknown attackers entry into your computer systems through malicious browser applets. In response to this upcoming update, Kronos issued a technical advisory titled: "Workforce Central and JRE 1.7 – Mandatory Action Required." What does this mean for Kronos users and your Java Runtime Environment?
I had a great opportunity recently to attend a call by Kronos concerning the changes. The main thing that we need to be aware of is the JRE 1.7.0_51 will be released soon. Per the technical advisory: …"Oracle's JRE 1.7.0_51 (January 14, 2014) will introduce security enhancements that will block access to the application and require all customers running Workforce Central (WFC) versions 6.1, 6.2, 6.3 and 7.0 take action …to continue using Workforce Central on January 14, 2014” (italics ours).
All Kronos customers on the versions listed should become familiar with the upcoming changes that Kronos is implementing to accommodate the Oracle JRE update version change. If you are an existing Kronos customer, you will want to make an assessment of your current setup (first determine current JRE versions and if you are using a “connected” or “locked down” system). If your Kronos environment is being maintained in the Kronos Cloud, then work with your Kronos Cloud team. They will implement any updates for Kronos or Java for your hosted system. If your environment is not in the Kronos Cloud, then you will need to take action.
What do I need to be aware of with the Java client (JRE) update?
In addition to the technical advisory, here are some additional items to be aware of regarding the Java version changes:
Kronos is now recommending for those that update they now leave the auto-update feature on (the default) instead of disabling auto-update (JRE client version 1.7 and above).
Kronos is moving away from the JRE entirely, but the entire Java code will need to be rewritten into HTML 5. Due to this, Kronos stated being independent of Java entirely for Workforce Central will not be until at least 2015.
After updating the Kronos Workforce Central Service Pack and latest Java version, you may need to clear your JRE cache (temporary files) if you experience slow navigation or are unable to load an employee time card or schedule from the Workforce Genie™ as a Workforce Manager.
Some positive thoughts from the Kronos customer Webinar:
Kronos is not the only vendor that is impacted by the upcoming change introduced by Oracle. There are others such as ADP, SAP, and Oracle.
Kronos will now qualify the new version of the Java with signed applets within 48 hours of the JRE new version release from Oracle.
Almost all employee functions do not require the use of the JRE. Kronos states that 78% of Workforce employees do not require the JRE. From this I am inferring that the main impact from the update will be felt by people licensed in Kronos as Workforce Managers or “super-users” of the system (i.e. Kronos System Administrators).
What Will This Look Like?
For those accessing Kronos with the JRE version 1.7 update (e.g. update 21 or 45) for the very first time, you will see the following screen:
If you have Internet access (what Kronos refers to as a “Connected System” according to the Technical Advisory) you will be able to update the version. The above screen was generated by my own Workforce Central “Connected” system when I accessed the /logon URL (classic view) for the very first time. At this time, I am awaiting Workforce Central Service Pack 7.0.2 to be released by Kronos so I will choose “Later” instead of “Update” on the above screenshot and will still be able to access Kronos for the time being. Note: per the technical advisory I will not be able to use Quick links, however in Navigator I can use the Default System Administrator Workspace (if configured). Once I install Kronos Workforce Central Service Pack 7.0.2 (for signed applets), I will roll out the latest Java version. If I choose to “Update” to the latest JRE (version 7 update 45), I can continue to use Workforce Central version 7 RTM but I might also be prompted if I would like to “Allow” the Kronos application.
What is the most important item to be aware of when I apply the latest Kronos Workforce Central service pack? I get all the new features, bug fixes, and the JRE works seamlessly with Kronos using signed applets!
January 14, 2014, that is so soon! Who would I contact for additional information concerning the mandatory update?
You can connect with us here. Kronos will also be proactively contacting existing customers.
In the last article I wrote regarding Java, there was discussion regarding how to check the Java client (JRE) version and factors attributing to version changes when upgrading Kronos Workforce Central™ (WFC). According to Oracle™ things will now change in regards to updating the JRE. This is to accommodate both JRE security concerns and to be in-line with Oracle’s stance. The primary change is that when accessing Kronos signed applets will be delivered (as opposed to unsigned applets) to accommodate the latest JRE version 7 update. If you need to know if your organization will be impacted by the Java client update, reference the Kronos Knowledge base article: How to Determine If You Will Be Impacted by the 1.7.0_51 Java Runtime Environment (JRE) Security Changes.