[tveita]

Most the horrible security bugs in Java show up in the sandbox, where attackers can supply arbitrary code for you to run.

In contrast, Java as a server language has an excellent security record IME. The last public patch panic I can remember was in 2011 with the denial of service bug regarding parsing of floating points. There has been other security bugs regarding cryptography etc, I'm sure, but in general you can feel very secure running Java on your servers.

It is a shame that security bugs for both are bundled together, making every sandbox compromise a "Remote exploitable" vulnerability. The "applet" use case should probably just die, there is no indication that Java sandboxing will ever be secure, the design is unsound.

[hansjorg]

Oracle is deprecating the Java browser plugin in JDK 9, ie. the applet use case. There will still be support for Java Web Start though.

[ThisIs_MyName]

I've always wondered why nobody sandboxes Java applets in a LXC/Docker container or in a chrome sandbox the same way flash is contained.

[makomk]

Java as a server language has a record of nasty serialization-related RCE vulnerabilities. Of course, they're in popular Java libraries used on the server rather than the language itself, just like this bug was in a popular C library rather than the language itself - but Java makes it very easy to accidentally write that kind of vulnerability. In fact, just loading two unrelated libraries that are individually safe sometimes create an exploitable RCE condition in Java. That's worse than even C.