Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

4 Tips to Identify, Patch & Report on the Oracle Java Vulnerability

Posted September 7, 2012    Jerome Diggs

Last week our security research team provided some very enlightening information on a nasty Oracle Java vulnerability that until recently was a zero-day.  Oracle provided a patch for the vulnerability found in advisory (CVE-2012-4681)  and as a follow-up to the blog post by our security research team we wanted to share with you some easy steps to follow in order to leverage Retina CS’ integration with Microsoft’s WSUS and our unique 3rd party patch integration features. This will get your systems patched as quickly as possible, and ensure your systems are correctly identified, alerted and reported on, in a timely manner.

Topic: Discovering the vulnerability in the enterprise

Tip 1: Creating a custom audit group for the audits related to CVE-2012-4681

In the case where you want to do focused scans against your network looking for this particular vulnerability you can create an audit group that specifically looks for CVE-2012-4681 the offending vulnerability across your enterprise (obviously this will be included in normal ‘all audits’ scans, as well).  In any case the audits you want to include are:

Audit ID 17016 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – Windows – JDK

Audit ID 17017 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – Windows – JRE

Audit ID 17018 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – UNIX/Linux – JDK

Audit ID 17019 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – UNIX/Linux – JRE

Creating custom audit groups are great for ad-hoc scanning as it will allow you to quickly scan the enterprise for specific audits.

Tip 2: Creating an alert enabled smart group for CVE-2012-4681

You can also create a smart rule to alert you (via email) when new machines are added/removed with the vulnerability by using a single criteria and action, as noted below.

Additionally, you can create leverage the ‘Show Assets as Smart Group’ under ‘Perform Action’ which will create a filtered view in Retina CS for all systems that still have the vulnerability.

Users can quickly determine which systems still have the vulnerability across the enterprise with the click of a mouse.

Topic: Patching systems with the Oracle Java vulnerability

Tip 3: Leveraging the integrated Microsoft WSUS and 3rd party patching feature to patch CVE-2012-4681

For all Retina CS and Retina CS Community customers, our Patch Management features configuration of WSUS integration, which is a very straightforward process (please refer to the product installation guide for details).  Retina CS’ integration with Microsoft WSUS allows system users to manage a single or multiple WSUS servers with a few clicks of the mouse. The enablement of 3rd party patch integration extends our capabilities to meet the diverse demands of the modern corporate network.

Once properly configured you’ll notice that in the ‘Patch’ tab on a vulnerability, we provide correlated information on the patch from WSUS, including: whether or not it has been approved for WSUS deployment, whether or not it has been installed, and the patch release date and arrival date (when WSUS downloaded the patch).

You can identify a patch enabled smart group in the left hand tree by the [P] designation.  This basically means that we’ve added an action for the smart group to enable it for patch management (please refer to the product documentation for details on proper configuration).

There are numerous filters to identify which patches are missing and subsequently need to be deployed but for the purpose of this blog we are looking for patches ‘not installed’, have a setting of ‘no’ for approval status, have a classification of ‘critical updates’ and vendor = ‘Oracle Corporation’.

Next you’ll want to ‘Approve’ the patches for installation, you’ll be able to approve the patch(es) for the smart group that is currently in the context or you can multi-select additional smart groups, the choice is yours.

Once you’ve approved the patch for the smart group(s) the target’s built-in Microsoft Windows Update client will download and perform the installation based on the settings specific to the individual smart group.  You can use the tips above to perform subsequent scanning and receiving updated alerts.

Topic: Reporting on systems with the Oracle Java vulnerability

Tip 4: Filtered reports

The audit group you created above can also be used as filters in reports in the case where you’ve run broader scans (i.e. all audits) but only want to report on the specific Oracle Java vulnerabilities.  When you set up the job to generate the report (yes, reports can also be scheduled) you’ll want to ensure that you select the appropriate audit group (in my example ‘Oracle Java CVE-2012-4681 Audits’).

Doing so will produce a report with machines that have the specific Oracle Java vulnerability.

Hopefully these tips and tricks will help you solidify a game plan on tackling the task of identifying and remediating systems with CVE-2012-4681. Read more about Java-based exploitation from our research team.

If you have concerns of the security posture of your environment, feel free to download and try our community version to discover, assess and gain remediation guidance in our simple to use standalone scanner, Retina or Retina CS Community (which supports Patch management).

, , , , ,

Leave a Reply

Additional articles

VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

, , , ,

Privileged Passwords: The Bane of Security Professionals Everywhere

Posted February 19, 2015    Dave Shackleford

Passwords have been with us since ancient times. Known as “watchwords”, ancient Roman military guards would pass a wooden tablet with a daily secret word engraved from one shift to the next, with each guard position marking the tablet to indicate it had been received. The military has been using passwords, counter-passwords, and even sound…

, , ,
Privileged Account Management Process

In Vulnerability Management, Process is King

Posted February 18, 2015    Morey Haber

You have a vulnerability scanner, but where’s your process? Most organizations are rightly concerned about possible vulnerabilities in their systems, applications, networked devices, and other digital assets and infrastructure components. Identifying vulnerabilities is indeed important, and most security professionals have some kind of scanning solution in place. But what is most essential to understand is…

, , , , ,