[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU
We've been recently informed by a 3rd party that Oracle planned to release
fixes for the vulnerabilities covered by our SE-2014-01  project in Nov
We initially thought that someone mistakenly took Oct for Nov (Oracle CPU
was released on Oct 14, 2014), but the credibility of the source of this
information made us dig a little bit further into this.
As a result we found out the following.
OJVM PSU patches covering security issues in Oracle Database Java VM has not
been released in full for Windows platform.
That's regardless of the fact that Oracle blog post  highlighted Windows
platform as mostly affected by Java VM vulnerabilities (CVSS 9.0 Base Score
reflecting instances where a user running the database has administrative
privileges in a target OS).
Oracle Support Doc ID 1912224.1 confirmed our finding. This document
November 4, 2014 as an estimated date for the release of Oracle Database
VM patches (Oracle calls them "post release" patches):
- Oracle JavaVM Component 220.127.116.11.1 Database PSU Patch 19801531 for Windows
- Oracle JavaVM Component 18.104.22.168.1 Database PSU Patch 19806120 for Windows
- Oracle JavaVM Component 22.214.171.124.1 Database PSU Patch 19806118 for Windows
We also found out that Oracle Support Doc ID 360870.1 , the one that
is usually quoted by Oracle at the time of patching security issues in
products contains misleading and inaccurate information about the impact of
Java Security Vulnerabilities on Oracle Database and Fusion Middleware
This in particular concerns the following excerpts:
"Oracle installations of the Java SE do not configure a browser plug-in,
is not possible to invoke them using a browser on the machine on which
installed. It is not possible for a malicious web site to download a
Java applet which uses the Java SE that Oracle installs to cause harm.
why Java security vulnerabilities regarding applets cannot be exploited
"The Oracle Database Server contains an embedded Java Virtual Machine
by Oracle but is not the Java SE. The Java Virtual Machine is not
security vulnerabilities listed in the Java SE security advisories."
Similarly, misleading and inaccurate information is also contained in Oracle
Support Doc ID 1074055.1 :
"Where there are published vulnerabilities in Java, it is almost never
that such vulnerabilities can be exploited via Oracle applications
Java. Typically, such vulnerabilities can be exploited only by:
- Attackers that write Java code that is executed on browsers.
- Attackers that write Java programs that knowingly are executed by the
whose computing resources are being attacked.
That means, if one only runs Java applications written by trusted
is unlikely that there is any significant risk posed by Java
We take the update of a 1+ year old Java class base (java.version =
11g R2 as of Jun 2014) embedded by Oracle Database along with the
release Oracle JavaVM Component Database PSU as part of the Critical
program starting from October 2014  onwards as an indirect
a Java security mess spilling beyond the usual victim (applets / browser
"We bring security research to the new level"
 SE-2014-01 Security vulnerabilities in Oracle Database Java VM
 October 2014 Critical Patch Update Released
 Impact of Java SE Security Vulnerabilities on Oracle Database and
Fusion Middleware Products (Doc ID 360870.1)
Last Major Update: Jun 9, 2014
 Security Vulnerability FAQ for Oracle Database and Fusion Middleware
Products (Doc ID 1074055.1)
Last Major Update: Oct 22, 2014
 Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU"
(OJVM PSU) Patches (Doc ID 1929745.1)
Last Major Update: Oct 31, 2014