[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU

Hello All,

We've been recently informed by a 3rd party that Oracle planned to release
fixes for the vulnerabilities covered by our SE-2014-01 [1] project in Nov

We initially thought that someone mistakenly took Oct for Nov (Oracle CPU
was released on Oct 14, 2014), but the credibility of the source of this
information made us dig a little bit further into this.

As a result we found out the following.

OJVM PSU patches covering security issues in Oracle Database Java VM has not
been released in full for Windows platform.

That's regardless of the fact that Oracle blog post [2] highlighted Windows
platform as mostly affected by Java VM vulnerabilities (CVSS 9.0 Base Score
reflecting instances where a user running the database has administrative
privileges in a target OS).

Oracle Support Doc ID 1912224.1 confirmed our finding. This document specifies November 4, 2014 as an estimated date for the release of Oracle Database Java
VM patches (Oracle calls them "post release" patches):
- Oracle JavaVM Component Database PSU Patch 19801531 for Windows
- Oracle JavaVM Component Database PSU Patch 19806120 for Windows
- Oracle JavaVM Component Database PSU Patch 19806118 for Windows

We also found out that Oracle Support Doc ID 360870.1 [3], the one that
is usually quoted by Oracle at the time of patching security issues in Oracle
products contains misleading and inaccurate information about the impact of
Java Security Vulnerabilities on Oracle Database and Fusion Middleware products.

This in particular concerns the following excerpts:

"Oracle installations of the Java SE do not configure a browser plug-in, so it is not possible to invoke them using a browser on the machine on which they are installed. It is not possible for a malicious web site to download a malicious Java applet which uses the Java SE that Oracle installs to cause harm. This is why Java security vulnerabilities regarding applets cannot be exploited in Oracle

"The Oracle Database Server contains an embedded Java Virtual Machine implemented by Oracle but is not the Java SE. The Java Virtual Machine is not affected by
security vulnerabilities listed in the Java SE security advisories."

Similarly, misleading and inaccurate information is also contained in Oracle
Support Doc ID 1074055.1 [4]:

"Where there are published vulnerabilities in Java, it is almost never the case that such vulnerabilities can be exploited via Oracle applications written in
Java. Typically, such vulnerabilities can be exploited only by:
- Attackers that write Java code that is executed on browsers.
- Attackers that write Java programs that knowingly are executed by the people
  whose computing resources are being attacked.
That means, if one only runs Java applications written by trusted developers, it is unlikely that there is any significant risk posed by Java vulnerabilities."


We take the update of a 1+ year old Java class base (java.version = 1.6.0_43 for 11g R2 as of Jun 2014) embedded by Oracle Database along with the commitment to release Oracle JavaVM Component Database PSU as part of the Critical Patch Update program starting from October 2014 [5] onwards as an indirect acknowledgment of a Java security mess spilling beyond the usual victim (applets / browser plugin).

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] SE-2014-01 Security vulnerabilities in Oracle Database Java VM
[2] October 2014 Critical Patch Update Released

[3] Impact of Java SE Security Vulnerabilities on Oracle Database and Fusion Middleware Products (Doc ID 360870.1)
    Last Major Update:	Jun 9, 2014
[4] Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products (Doc ID 1074055.1)
    Last Major Update:	Oct 22, 2014
[5] Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU" (OJVM PSU) Patches (Doc ID 1929745.1)
    Last Major Update:	Oct 31, 2014