[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5453855D.5000605@security-explorations.com>
Date: Fri, 31 Oct 2014 13:49:33 +0100
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [SE-2014-01] Missing patches / inaccurate information regarding Oracle
Oct CPU
Hello All,
We've been recently informed by a 3rd party that Oracle planned to release
fixes for the vulnerabilities covered by our SE-2014-01 [1] project in Nov
2014.
We initially thought that someone mistakenly took Oct for Nov (Oracle CPU
was released on Oct 14, 2014), but the credibility of the source of this
information made us dig a little bit further into this.
As a result we found out the following.
OJVM PSU patches covering security issues in Oracle Database Java VM has not
been released in full for Windows platform.
That's regardless of the fact that Oracle blog post [2] highlighted Windows
platform as mostly affected by Java VM vulnerabilities (CVSS 9.0 Base Score
reflecting instances where a user running the database has administrative
privileges in a target OS).
Oracle Support Doc ID 1912224.1 confirmed our finding. This document
specifies
November 4, 2014 as an estimated date for the release of Oracle Database
Java
VM patches (Oracle calls them "post release" patches):
- Oracle JavaVM Component 12.1.0.1.1 Database PSU Patch 19801531 for Windows
- Oracle JavaVM Component 11.2.0.3.1 Database PSU Patch 19806120 for Windows
- Oracle JavaVM Component 11.1.0.7.1 Database PSU Patch 19806118 for Windows
We also found out that Oracle Support Doc ID 360870.1 [3], the one that
is usually quoted by Oracle at the time of patching security issues in
Oracle
products contains misleading and inaccurate information about the impact of
Java Security Vulnerabilities on Oracle Database and Fusion Middleware
products.
This in particular concerns the following excerpts:
"Oracle installations of the Java SE do not configure a browser plug-in,
so it
is not possible to invoke them using a browser on the machine on which
they are
installed. It is not possible for a malicious web site to download a
malicious
Java applet which uses the Java SE that Oracle installs to cause harm.
This is
why Java security vulnerabilities regarding applets cannot be exploited
in Oracle
environments."
"The Oracle Database Server contains an embedded Java Virtual Machine
implemented
by Oracle but is not the Java SE. The Java Virtual Machine is not
affected by
security vulnerabilities listed in the Java SE security advisories."
Similarly, misleading and inaccurate information is also contained in Oracle
Support Doc ID 1074055.1 [4]:
"Where there are published vulnerabilities in Java, it is almost never
the case
that such vulnerabilities can be exploited via Oracle applications
written in
Java. Typically, such vulnerabilities can be exploited only by:
- Attackers that write Java code that is executed on browsers.
- Attackers that write Java programs that knowingly are executed by the
people
whose computing resources are being attacked.
That means, if one only runs Java applications written by trusted
developers, it
is unlikely that there is any significant risk posed by Java
vulnerabilities."
---
We take the update of a 1+ year old Java class base (java.version =
1.6.0_43 for
11g R2 as of Jun 2014) embedded by Oracle Database along with the
commitment to
release Oracle JavaVM Component Database PSU as part of the Critical
Patch Update
program starting from October 2014 [5] onwards as an indirect
acknowledgment of
a Java security mess spilling beyond the usual victim (applets / browser
plugin).
Thank you.
Best Regards,
Adam Gowdiak
---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------
References:
[1] SE-2014-01 Security vulnerabilities in Oracle Database Java VM
http://www.security-explorations.com/en/SE-2014-01.html
[2] October 2014 Critical Patch Update Released
https://blogs.oracle.com/security/entry/october_2014_critical_patch_update
[3] Impact of Java SE Security Vulnerabilities on Oracle Database and
Fusion Middleware Products (Doc ID 360870.1)
Last Major Update: Jun 9, 2014
[4] Security Vulnerability FAQ for Oracle Database and Fusion Middleware
Products (Doc ID 1074055.1)
Last Major Update: Oct 22, 2014
[5] Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU"
(OJVM PSU) Patches (Doc ID 1929745.1)
Last Major Update: Oct 31, 2014
Powered by blists - more mailing lists