Last week our security research team provided some very enlightening information on a nasty Oracle Java vulnerability that until recently was a zero-day. Oracle provided a patch for the vulnerability found in advisory (CVE-2012-4681) and as a follow-up to the blog post by our security research team we wanted to share with you some easy steps to follow in order to leverage Retina CS’ integration with Microsoft’s WSUS and our unique 3rd party patch integration features. This will get your systems patched as quickly as possible, and ensure your systems are correctly identified, alerted and reported on, in a timely manner.
Topic: Discovering the vulnerability in the enterprise
Tip 1: Creating a custom audit group for the audits related to CVE-2012-4681
In the case where you want to do focused scans against your network looking for this particular vulnerability you can create an audit group that specifically looks for CVE-2012-4681 the offending vulnerability across your enterprise (obviously this will be included in normal ‘all audits’ scans, as well). In any case the audits you want to include are:
Audit ID 17016 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – Windows – JDK
Audit ID 17017 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – Windows – JRE
Audit ID 17018 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – UNIX/Linux – JDK
Audit ID 17019 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – UNIX/Linux – JRE
Creating custom audit groups are great for ad-hoc scanning as it will allow you to quickly scan the enterprise for specific audits.
Tip 2: Creating an alert enabled smart group for CVE-2012-4681
You can also create a smart rule to alert you (via email) when new machines are added/removed with the vulnerability by using a single criteria and action, as noted below.
Additionally, you can create leverage the ‘Show Assets as Smart Group’ under ‘Perform Action’ which will create a filtered view in Retina CS for all systems that still have the vulnerability.
Users can quickly determine which systems still have the vulnerability across the enterprise with the click of a mouse.
Topic: Patching systems with the Oracle Java vulnerability
Tip 3: Leveraging the integrated Microsoft WSUS and 3rd party patching feature to patch CVE-2012-4681
For all Retina CS and Retina CS Community customers, our Patch Management features configuration of WSUS integration, which is a very straightforward process (please refer to the product installation guide for details). Retina CS’ integration with Microsoft WSUS allows system users to manage a single or multiple WSUS servers with a few clicks of the mouse. The enablement of 3rd party patch integration extends our capabilities to meet the diverse demands of the modern corporate network.
Once properly configured you’ll notice that in the ‘Patch’ tab on a vulnerability, we provide correlated information on the patch from WSUS, including: whether or not it has been approved for WSUS deployment, whether or not it has been installed, and the patch release date and arrival date (when WSUS downloaded the patch).
You can identify a patch enabled smart group in the left hand tree by the [P] designation. This basically means that we’ve added an action for the smart group to enable it for patch management (please refer to the product documentation for details on proper configuration).
There are numerous filters to identify which patches are missing and subsequently need to be deployed but for the purpose of this blog we are looking for patches ‘not installed’, have a setting of ‘no’ for approval status, have a classification of ‘critical updates’ and vendor = ‘Oracle Corporation’.
Next you’ll want to ‘Approve’ the patches for installation, you’ll be able to approve the patch(es) for the smart group that is currently in the context or you can multi-select additional smart groups, the choice is yours.
Once you’ve approved the patch for the smart group(s) the target’s built-in Microsoft Windows Update client will download and perform the installation based on the settings specific to the individual smart group. You can use the tips above to perform subsequent scanning and receiving updated alerts.
Topic: Reporting on systems with the Oracle Java vulnerability
Tip 4: Filtered reports
The audit group you created above can also be used as filters in reports in the case where you’ve run broader scans (i.e. all audits) but only want to report on the specific Oracle Java vulnerabilities. When you set up the job to generate the report (yes, reports can also be scheduled) you’ll want to ensure that you select the appropriate audit group (in my example ‘Oracle Java CVE-2012-4681 Audits’).
Doing so will produce a report with machines that have the specific Oracle Java vulnerability.
Hopefully these tips and tricks will help you solidify a game plan on tackling the task of identifying and remediating systems with CVE-2012-4681. Read more about Java-based exploitation from our research team.
If you have concerns of the security posture of your environment, feel free to download and try our community version to discover, assess and gain remediation guidance in our simple to use standalone scanner, Retina or Retina CS Community (which supports Patch management).