Is it safe to download Java in a virtual machine?

Question

I put my computer up into Linux with the VMware Workstation 12 Player. I wanted to add some java components to some software that is available only in Linux, but when I tried to, I realized I didn't have Java installed. Before I install the JVM (Java Virtual Machine), I wanted to know if it's safe to install the JVM in a VM.

• What may be some possible errors (if any) in running a VM (JVM) in another VM?

• What should I expect to work differently because of using Java in a virtual machine (if anything)?

• What should I not do when running a VM (JVM) in another VM?

Answer 1

Running a Java VM in an platform VM (VMWare, VirtualBox...) is absolutely commonplace in the computing industry. My experience is that the performance/throughput of a Java program is usually not very different when run in that mode, than it would be run in a JVM on bare metal. In any event, I tend to think of the JVM as a kind of pimped-up runtime library, rather than a "real" VM. This is a matter of interpretation, of course.

But whether it's "safe" depends on what kind of safety you mean. Running in a platform VM environment does have the potential to create problems with reliability, often related to networking. The ability to move an entire VM from one physical host to another does potentially increase the risk of data leakage. But neither of these problems is specific to Java.

Answer 2

Installing a VM in another VM just sounds unsafe to me

There is nothing unsafe about installing a VM inside another VM. Not in theory. Not in (general) practice.

For JVMs, there is no additional risk in running the JVM on a VM versus running a JVM on a "bare metal" machine. Indeed, in some circumstances it could be safer. (If your VM is isolated from the rest of your infrastructure, you can treat it (the VM) as a sandbox, and destroy it if it gets compromised ... via a JVM, or anything else.)

There are security concerns¹ with exposing Java VMs in web-browsers so that the browsers can run untrusted code; e.g. applets. But that is a special case ... and you can easily avoid this eventuality. Indeed, if you use an up-to-date Oracle JVM, you need to work quite hard to enable Java in a web browser².

---

^{1 - There have been a series of security problems that allow malicious code running in a Java sandbox to break out.}

^{2 - Indeed, Oracle and web browser manufacturers have mostly removed the ability to run Java in a browser. There are one or two hold-outs, but sanity has prevailed ... mostly.}