Re: Oracle JavaVM patches

Was not aware of this mitigation patch

Kind regards,

Freek

On wo, 2016-04-27 at 14:02 +0100, Neil Chandler wrote:
> Apologies, you are right Niall, but perhaps I should have been more
> explicit than a quick reply from my phone... lets try again.
>
> The OJVM patch is a full DB-down to install. No rolling install on
> RAC. This rather screws up a large part of the point of implementing
> RAC - High Availability.
>
> If you don't use OJVM, it does seem rather a pain to patch when you
> are not using the feature. However, you do have that attack surface,
> which isn't good.
>
> If you are not using OJVM you should patch with the Mitigation patch.
> This blocks all known vulnerabilities for the OJVM for the ORACLE_HOME
> and can be installed as a rolling patch (see MOS: 19721304 for the
> patch - more info in 1929745.1). However, it may break the OJVM if you
> are using it. You need to check compatibility with the CPU (all up to
> Jan are OK)
>
> Neil
>
>
>
>
> ______________________________________________________________________
> Date: Wed, 27 Apr 2016 13:18:37 +0100
> Subject: Re: Oracle JavaVM patches
> From: niall.litchfield_at_gmail.com
> To: neil_chandler_at_hotmail.com
> CC: freek.dhooge_at_gmail.com; dmarc-noreply_at_freelists.org;
> oracle-l_at_freelists.org
>
>
> I disagree Neil. The CVSS matrices for the various OJVM
> vulnerabilities
> (eg http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixDB but there are later ones) indicate that the vulnerabilities are exploitable over the network by a user with create session privileges. It's the *existence* of the JVM that represents the attack vector - not whether you use it or not.
>
>
> On Wed, Apr 27, 2016 at 12:24 PM, Neil Chandler
> <neil_chandler_at_hotmail.com> wrote:
>
> It is a full DB down, yes, but you only need to patch the OJVM
> if you are using the OJVM. Not too many sites run Java in the
> database.
>
> Neil.
> sent from my phone
>
>
>

--
http://www.freelists.org/webpage/oracle-l