Calendar manager has been a security screwup for at least 10 years and I remember switching it off across all our servers many moons ago. I doubt many desktop Solaris users even use CDE these days (Gnome being preferred) so it should have been switched off/uninstalled.
As for Java, yeah, the vast majority relate to "untrusted code" which basically means "code run in the browser" in the majority of cases. Another reason I don't install Java browser extensions and I haven't missed them in ages.
Biting the hand that feeds IT
