BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

4 Tips to Identify, Patch & Report on the Oracle Java Vulnerability

Post by Jerome Diggs September 7, 2012

Last week our security research team provided some very enlightening information on a nasty Oracle Java vulnerability that until recently was a zero-day.  Oracle provided a patch for the vulnerability found in advisory (CVE-2012-4681)  and as a follow-up to the blog post by our security research team we wanted to share with you some easy steps to follow in order to leverage Retina CS’ integration with Microsoft’s WSUS and our unique 3rd party patch integration features. This will get your systems patched as quickly as possible, and ensure your systems are correctly identified, alerted and reported on, in a timely manner.

Topic: Discovering the vulnerability in the enterprise

Tip 1: Creating a custom audit group for the audits related to CVE-2012-4681

In the case where you want to do focused scans against your network looking for this particular vulnerability you can create an audit group that specifically looks for CVE-2012-4681 the offending vulnerability across your enterprise (obviously this will be included in normal ‘all audits’ scans, as well).  In any case the audits you want to include are:

Audit ID 17016 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – Windows – JDK

Audit ID 17017 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – Windows – JRE

Audit ID 17018 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – UNIX/Linux – JDK

Audit ID 17019 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – UNIX/Linux – JRE

Creating custom audit groups are great for ad-hoc scanning as it will allow you to quickly scan the enterprise for specific audits.

Tip 2: Creating an alert enabled smart group for CVE-2012-4681

You can also create a smart rule to alert you (via email) when new machines are added/removed with the vulnerability by using a single criteria and action, as noted below.

Additionally, you can create leverage the ‘Show Assets as Smart Group’ under ‘Perform Action’ which will create a filtered view in Retina CS for all systems that still have the vulnerability.

Users can quickly determine which systems still have the vulnerability across the enterprise with the click of a mouse.

Topic: Patching systems with the Oracle Java vulnerability

Tip 3: Leveraging the integrated Microsoft WSUS and 3rd party patching feature to patch CVE-2012-4681

For all Retina CS and Retina CS Community customers, our Patch Management features configuration of WSUS integration, which is a very straightforward process (please refer to the product installation guide for details).  Retina CS’ integration with Microsoft WSUS allows system users to manage a single or multiple WSUS servers with a few clicks of the mouse. The enablement of 3rd party patch integration extends our capabilities to meet the diverse demands of the modern corporate network.

Once properly configured you’ll notice that in the ‘Patch’ tab on a vulnerability, we provide correlated information on the patch from WSUS, including: whether or not it has been approved for WSUS deployment, whether or not it has been installed, and the patch release date and arrival date (when WSUS downloaded the patch).

You can identify a patch enabled smart group in the left hand tree by the [P] designation.  This basically means that we’ve added an action for the smart group to enable it for patch management (please refer to the product documentation for details on proper configuration).

There are numerous filters to identify which patches are missing and subsequently need to be deployed but for the purpose of this blog we are looking for patches ‘not installed’, have a setting of ‘no’ for approval status, have a classification of ‘critical updates’ and vendor = ‘Oracle Corporation’.

Next you’ll want to ‘Approve’ the patches for installation, you’ll be able to approve the patch(es) for the smart group that is currently in the context or you can multi-select additional smart groups, the choice is yours.

Once you’ve approved the patch for the smart group(s) the target’s built-in Microsoft Windows Update client will download and perform the installation based on the settings specific to the individual smart group.  You can use the tips above to perform subsequent scanning and receiving updated alerts.

Topic: Reporting on systems with the Oracle Java vulnerability

Tip 4: Filtered reports

The audit group you created above can also be used as filters in reports in the case where you’ve run broader scans (i.e. all audits) but only want to report on the specific Oracle Java vulnerabilities.  When you set up the job to generate the report (yes, reports can also be scheduled) you’ll want to ensure that you select the appropriate audit group (in my example ‘Oracle Java CVE-2012-4681 Audits’).

Doing so will produce a report with machines that have the specific Oracle Java vulnerability.

Hopefully these tips and tricks will help you solidify a game plan on tackling the task of identifying and remediating systems with CVE-2012-4681. Read more about Java-based exploitation from our research team.

If you have concerns of the security posture of your environment, feel free to download and try our community version to discover, assess and gain remediation guidance in our simple to use standalone scanner, Retina or Retina CS Community (which supports Patch management).

 

 

Tags:
, , , , ,

Leave a Reply

Additional articles

BI-Qualys-Connector-IMG1

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
Tags:
, , , , , , , ,
insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,