Thanks Neil
Was not aware of this mitigation patch
Kind regards,
Freek
On wo, 2016-04-27 at 14:02 +0100, Neil Chandler wrote:
Apologies, you are right Niall, but perhaps I should have been more
explicit than a quick reply from my phone... lets try again.
The OJVM patch is a full DB-down to install. No rolling install on
RAC. This rather screws up a large part of the point of implementing
RAC - High Availability.
If you don't use OJVM, it does seem rather a pain to patch when you
are not using the feature. However, you do have that attack surface,
which isn't good.
If you are not using OJVM you should patch with the Mitigation patch.
This blocks all known vulnerabilities for the OJVM for the ORACLE_HOME
and can be installed as a rolling patch (see MOS: 19721304 for the
patch - more info in 1929745.1). However, it may break the OJVM if you
are using it. You need to check compatibility with the CPU (all up to
Jan are OK)
Neil
______________________________________________________________________
Date: Wed, 27 Apr 2016 13:18:37 +0100
Subject: Re: Oracle JavaVM patches
From: niall.litchfield@xxxxxxxxx
To: neil_chandler@xxxxxxxxxxx
CC: freek.dhooge@xxxxxxxxx; dmarc-noreply@xxxxxxxxxxxxx;
oracle-l@xxxxxxxxxxxxx
I disagree Neil. The CVSS matrices for the various OJVM
vulnerabilities
(eg
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixDB
but there are later ones) indicate that the vulnerabilities are exploitable
over the network by a user with create session privileges. It's the
*existence* of the JVM that represents the attack vector - not whether you
use it or not.
On Wed, Apr 27, 2016 at 12:24 PM, Neil Chandler
<neil_chandler@xxxxxxxxxxx> wrote:
It is a full DB down, yes, but you only need to patch the OJVM
if you are using the OJVM. Not too many sites run Java in the
database.
Neil.
sent from my phone
