[SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU Oct 31 2014 12:49PM
Security Explorations (contact security-explorations com)

Hello All,

We've been recently informed by a 3rd party that Oracle planned to release
fixes for the vulnerabilities covered by our SE-2014-01 [1] project in Nov

We initially thought that someone mistakenly took Oct for Nov (Oracle CPU
was released on Oct 14, 2014), but the credibility of the source of this
information made us dig a little bit further into this.

As a result we found out the following.

OJVM PSU patches covering security issues in Oracle Database Java VM has not
been released in full for Windows platform.

That's regardless of the fact that Oracle blog post [2] highlighted Windows
platform as mostly affected by Java VM vulnerabilities (CVSS 9.0 Base Score
reflecting instances where a user running the database has administrative
privileges in a target OS).

Oracle Support Doc ID 1912224.1 confirmed our finding. This document
November 4, 2014 as an estimated date for the release of Oracle Database
VM patches (Oracle calls them "post release" patches):
- Oracle JavaVM Component Database PSU Patch 19801531 for Windows
- Oracle JavaVM Component Database PSU Patch 19806120 for Windows
- Oracle JavaVM Component Database PSU Patch 19806118 for Windows

We also found out that Oracle Support Doc ID 360870.1 [3], the one that
is usually quoted by Oracle at the time of patching security issues in
products contains misleading and inaccurate information about the impact of
Java Security Vulnerabilities on Oracle Database and Fusion Middleware

This in particular concerns the following excerpts:

"Oracle installations of the Java SE do not configure a browser plug-in,
so it
is not possible to invoke them using a browser on the machine on which
they are
installed. It is not possible for a malicious web site to download a
Java applet which uses the Java SE that Oracle installs to cause harm.
This is
why Java security vulnerabilities regarding applets cannot be exploited
in Oracle

"The Oracle Database Server contains an embedded Java Virtual Machine
by Oracle but is not the Java SE. The Java Virtual Machine is not
affected by
security vulnerabilities listed in the Java SE security advisories."

Similarly, misleading and inaccurate information is also contained in Oracle
Support Doc ID 1074055.1 [4]:

"Where there are published vulnerabilities in Java, it is almost never
the case
that such vulnerabilities can be exploited via Oracle applications
written in
Java. Typically, such vulnerabilities can be exploited only by:
- Attackers that write Java code that is executed on browsers.
- Attackers that write Java programs that knowingly are executed by the
whose computing resources are being attacked.
That means, if one only runs Java applications written by trusted
developers, it
is unlikely that there is any significant risk posed by Java


We take the update of a 1+ year old Java class base (java.version =
1.6.0_43 for
11g R2 as of Jun 2014) embedded by Oracle Database along with the
commitment to
release Oracle JavaVM Component Database PSU as part of the Critical
Patch Update
program starting from October 2014 [5] onwards as an indirect
acknowledgment of
a Java security mess spilling beyond the usual victim (applets / browser

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] SE-2014-01 Security vulnerabilities in Oracle Database Java VM
[2] October 2014 Critical Patch Update Released

[3] Impact of Java SE Security Vulnerabilities on Oracle Database and
Fusion Middleware Products (Doc ID 360870.1)
Last Major Update: Jun 9, 2014
[4] Security Vulnerability FAQ for Oracle Database and Fusion Middleware
Products (Doc ID 1074055.1)
Last Major Update: Oct 22, 2014
[5] Oracle Recommended Patches -- "Oracle JavaVM Component Database PSU"
(OJVM PSU) Patches (Doc ID 1929745.1)
Last Major Update: Oct 31, 2014

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus