Update to the latest patchlevel of bundled JRE - server-side security vulnerability exist.

https://blogs.oracle.com/security/entry/february_2013_critical_patch_update

states:

3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java; that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components. In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source.

Now we know we are doing improbable things every day.

The patch is already out - http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html but will be updated on 19th Feb.