'[FD] [SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU
From:       Security Explorations <contact () security-explorations ! com>
Date:       2014-10-31 12:49:33
Message-ID: 5453855D.5000605 () security-explorations ! com
[Download RAW message or body]

Hello All,

We've been recently informed by a 3rd party that Oracle planned to release
fixes for the vulnerabilities covered by our SE-2014-01 [1] project in Nov
2014.

We initially thought that someone mistakenly took Oct for Nov (Oracle CPU
was released on Oct 14, 2014), but the credibility of the source of this
information made us dig a little bit further into this.

As a result we found out the following.

OJVM PSU patches covering security issues in Oracle Database Java VM has not
been released in full for Windows platform.

That's regardless of the fact that Oracle blog post [2] highlighted Windows
platform as mostly affected by Java VM vulnerabilities (CVSS 9.0 Base Score
reflecting instances where a user running the database has administrative
privileges in a target OS).

Oracle Support Doc ID 1912224.1 confirmed our finding. This document 
specifies
November 4, 2014 as an estimated date for the release of Oracle Database 
Java
VM patches (Oracle calls them "post release" patches):
- Oracle JavaVM Component 12.1.0.1.1 Database PSU Patch 19801531 for Windows
- Oracle JavaVM Component 11.2.0.3.1 Database PSU Patch 19806120 for Windows
- Oracle JavaVM Component 11.1.0.7.1 Database PSU Patch 19806118 for Windows

We also found out that Oracle Support Doc ID 360870.1 [3], the one that
is usually quoted by Oracle at the time of patching security issues in 
Oracle
products contains misleading and inaccurate information about the impact of
Java Security Vulnerabilities on Oracle Database and Fusion Middleware 
products.

This in particular concerns the following excerpts:

"Oracle installations of the Java SE do not configure a browser plug-in, 
so it
is not possible to invoke them using a browser on the machine on which 
they are
installed. It is not possible for a malicious web site to download a 
malicious
Java applet which uses the Java SE that Oracle installs to cause harm. 
This is
why Java security vulnerabilities regarding applets cannot be exploited 
in Oracle
environments."

"The Oracle Database Server contains an embedded Java Virtual Machine 
implemented
by Oracle but is not the Java SE. The Java Virtual Machine is not 
affected by
security vulnerabilities listed in the Java SE security advisories."

Similarly, misleading and inaccurate information is also contained in Oracle
Support Doc ID 1074055.1 [4]:

"Where there are published vulnerabilities in Java, it is almost never 
the case
that such vulnerabilities can be exploited via Oracle applications 
written in
Java. Typically, such vulnerabilities can be exploited only by:
- Attackers that write Java code that is executed on browsers.
- Attackers that write Java programs that knowingly are executed by the 
people
   whose computing resources are being attacked.
That means, if one only runs Java applications written by trusted 
developers, it
is unlikely that there is any significant risk posed by Java 
vulnerabilities."

---

We take the update of a 1+ year old Java class base (java.version = 
1.6.0_43 for
11g R2 as of Jun 2014) embedded by Oracle Database along with the 
commitment to
release Oracle JavaVM Component Database PSU as part of the Critical 
Patch Update
program starting from October 2014 [5] onwards as an indirect 
acknowledgment of
a Java security mess spilling beyond the usual victim (applets / browser 
plugin).

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] SE-2014-01 Security vulnerabilities in Oracle Database Java VM
     http://www.security-explorations.com/en/SE-2014-01.html
[2] October 2014 Critical Patch Update Released

https://blogs.oracle.com/security/entry/october_2014_critical_patch_update
[3] Impact of Java SE Security Vulnerabilities on Oracle Database and 
Fusion Middleware Products (Doc ID 360870.1)
     Last Major Update:	Jun 9, 2014
[4] Security Vulnerability FAQ for Oracle Database and Fusion Middleware 
Products (Doc ID 1074055.1)
     Last Major Update:	Oct 22, 2014
[5] Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU" 
(OJVM PSU) Patches (Doc ID 1929745.1)
     Last Major Update:	Oct 31, 2014

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 