Apologies, you are right Niall, but perhaps I should have been more explicit
than a quick reply from my phone... lets try again.
The OJVM patch is a full DB-down to install. No rolling install on RAC. This
rather screws up a large part of the point of implementing RAC - High
Availability.
If you don't use OJVM, it does seem rather a pain to patch when you are not
using the feature. However, you do have that attack surface, which isn't good.
If you are not using OJVM you should patch with the Mitigation patch. This
blocks all known vulnerabilities for the OJVM for the ORACLE_HOME and can be
installed as a rolling patch (see MOS: 19721304 for the patch - more info in
1929745.1). However, it may break the OJVM if you are using it. You need to
check compatibility with the CPU (all up to Jan are OK)
Neil
Date: Wed, 27 Apr 2016 13:18:37 +0100
Subject: Re: Oracle JavaVM patches
From: niall.litchfield@xxxxxxxxx
To: neil_chandler@xxxxxxxxxxx
CC: freek.dhooge@xxxxxxxxx; dmarc-noreply@xxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
I disagree Neil. The CVSS matrices for the various OJVM vulnerabilities (eg
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixDB
but there are later ones) indicate that the vulnerabilities are exploitable
over the network by a user with create session privileges. It's the *existence*
of the JVM that represents the attack vector - not whether you use it or not.
On Wed, Apr 27, 2016 at 12:24 PM, Neil Chandler <neil_chandler@xxxxxxxxxxx>
wrote:
It is a full DB down, yes, but you only need to patch the OJVM if you are using
the OJVM. Not too many sites run Java in the database.
Neil.
sent from my phone