Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

4 Tips to Identify, Patch & Report on the Oracle Java Vulnerability

Posted September 7, 2012    Jerome Diggs

Last week our security research team provided some very enlightening information on a nasty Oracle Java vulnerability that until recently was a zero-day.  Oracle provided a patch for the vulnerability found in advisory (CVE-2012-4681)  and as a follow-up to the blog post by our security research team we wanted to share with you some easy steps to follow in order to leverage Retina CS’ integration with Microsoft’s WSUS and our unique 3rd party patch integration features. This will get your systems patched as quickly as possible, and ensure your systems are correctly identified, alerted and reported on, in a timely manner.

Topic: Discovering the vulnerability in the enterprise

Tip 1: Creating a custom audit group for the audits related to CVE-2012-4681

In the case where you want to do focused scans against your network looking for this particular vulnerability you can create an audit group that specifically looks for CVE-2012-4681 the offending vulnerability across your enterprise (obviously this will be included in normal ‘all audits’ scans, as well).  In any case the audits you want to include are:

Audit ID 17016 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – Windows – JDK

Audit ID 17017 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – Windows – JRE

Audit ID 17018 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – UNIX/Linux – JDK

Audit ID 17019 – Oracle Sun Java ClassFinder Vulnerability (CVE-2012-4681) – UNIX/Linux – JRE

Creating custom audit groups are great for ad-hoc scanning as it will allow you to quickly scan the enterprise for specific audits.

Tip 2: Creating an alert enabled smart group for CVE-2012-4681

You can also create a smart rule to alert you (via email) when new machines are added/removed with the vulnerability by using a single criteria and action, as noted below.

Additionally, you can create leverage the ‘Show Assets as Smart Group’ under ‘Perform Action’ which will create a filtered view in Retina CS for all systems that still have the vulnerability.

Users can quickly determine which systems still have the vulnerability across the enterprise with the click of a mouse.

Topic: Patching systems with the Oracle Java vulnerability

Tip 3: Leveraging the integrated Microsoft WSUS and 3rd party patching feature to patch CVE-2012-4681

For all Retina CS and Retina CS Community customers, our Patch Management features configuration of WSUS integration, which is a very straightforward process (please refer to the product installation guide for details).  Retina CS’ integration with Microsoft WSUS allows system users to manage a single or multiple WSUS servers with a few clicks of the mouse. The enablement of 3rd party patch integration extends our capabilities to meet the diverse demands of the modern corporate network.

Once properly configured you’ll notice that in the ‘Patch’ tab on a vulnerability, we provide correlated information on the patch from WSUS, including: whether or not it has been approved for WSUS deployment, whether or not it has been installed, and the patch release date and arrival date (when WSUS downloaded the patch).

You can identify a patch enabled smart group in the left hand tree by the [P] designation.  This basically means that we’ve added an action for the smart group to enable it for patch management (please refer to the product documentation for details on proper configuration).

There are numerous filters to identify which patches are missing and subsequently need to be deployed but for the purpose of this blog we are looking for patches ‘not installed’, have a setting of ‘no’ for approval status, have a classification of ‘critical updates’ and vendor = ‘Oracle Corporation’.

Next you’ll want to ‘Approve’ the patches for installation, you’ll be able to approve the patch(es) for the smart group that is currently in the context or you can multi-select additional smart groups, the choice is yours.

Once you’ve approved the patch for the smart group(s) the target’s built-in Microsoft Windows Update client will download and perform the installation based on the settings specific to the individual smart group.  You can use the tips above to perform subsequent scanning and receiving updated alerts.

Topic: Reporting on systems with the Oracle Java vulnerability

Tip 4: Filtered reports

The audit group you created above can also be used as filters in reports in the case where you’ve run broader scans (i.e. all audits) but only want to report on the specific Oracle Java vulnerabilities.  When you set up the job to generate the report (yes, reports can also be scheduled) you’ll want to ensure that you select the appropriate audit group (in my example ‘Oracle Java CVE-2012-4681 Audits’).

Doing so will produce a report with machines that have the specific Oracle Java vulnerability.

Hopefully these tips and tricks will help you solidify a game plan on tackling the task of identifying and remediating systems with CVE-2012-4681. Read more about Java-based exploitation from our research team.

If you have concerns of the security posture of your environment, feel free to download and try our community version to discover, assess and gain remediation guidance in our simple to use standalone scanner, Retina or Retina CS Community (which supports Patch management).

, , , , ,

Leave a Reply

Additional articles


Tales from the Datacenter: Vulnerability Management Nightmares

Posted May 27, 2015    Dave Shackleford

Vulnerability scanning, threat management, risk analysis, patching, and configuration management are some of the major activities usually associated with vulnerability management, and none of these are new…so why are we failing so badly at many of them?

, ,

Don’t Create a Different sudoers File for Each System

Posted May 20, 2015    Randy Franklin Smith

What if you have multiple Linux and/or Unix systems? Sudo management can become onerous and unwieldy if you try to manage a different sudoers file on each system. The good news is that sudo supports multiple systems.


What Does Microsoft Local Administrator Password Solution Really Do?

Posted May 19, 2015    Morey Haber

LAPS is a feature that allows the randomization of local administrator accounts across the domain. Although it would seem that this capability overlaps with features in BeyondTrust’s PowerBroker Password Safe (PBPS), the reality is it is more suited for simple use cases such as changing the local Windows admin account and not much more.

, ,