The OJVM patch is a fact of life as of October 2014. There's a new one
released quarterly with every CPU. It cannot be applied rolling and it must
be applied both on the primary and standby databases at the same time.
Reference Doc id 1929745.1
<https://support.oracle.com/epmos/faces/DocumentDisplay?id=1929745.1>.
If you can get by without JVM, remove it. You don't have to secure it if it
is not there. And since it is installed by default, consider altering your
database creation templates so they don't install it.
To remove, search support for "How to Reload the JVM" and select the one
that matches your release version. Each doc lists a procedure for creating
a removal script.
Doc id 2001512.1
<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2001512.1> is a
good reference for creating databases with only the options you use, and it
includes a useful *dependency matrix* for options that require JVM.
On Wed, Apr 27, 2016 at 8:37 AM, Freek D'Hooge <freek.dhooge@xxxxxxxxx>
wrote:
Thanks Neil
Was not aware of this mitigation patch
Kind regards,
Freek
On wo, 2016-04-27 at 14:02 +0100, Neil Chandler wrote:
Apologies, you are right Niall, but perhaps I should have been more
explicit than a quick reply from my phone... lets try again.
The OJVM patch is a full DB-down to install. No rolling install on RAC.
This rather screws up a large part of the point of implementing RAC - High
Availability.
If you don't use OJVM, it does seem rather a pain to patch when you are
not using the feature. However, you do have that attack surface, which
isn't good.
If you are not using OJVM you should patch with the *Mitigation patch*.
This blocks all known vulnerabilities for the OJVM for the ORACLE_HOME and
can be installed as a rolling patch (see *MOS: 19721304 *for the patch -
more info in *1929745.1*). However, it may break the OJVM if you are
using it. You need to check compatibility with the CPU (all up to Jan are
OK)
Neil
------------------------------
Date: Wed, 27 Apr 2016 13:18:37 +0100
Subject: Re: Oracle JavaVM patches
From: niall.litchfield@xxxxxxxxx
To: neil_chandler@xxxxxxxxxxx
CC: freek.dhooge@xxxxxxxxx; dmarc-noreply@xxxxxxxxxxxxx;
oracle-l@xxxxxxxxxxxxx
I disagree Neil. The CVSS matrices for the various OJVM vulnerabilities
(eg
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixDB
but there are later ones) indicate that the vulnerabilities are exploitable
over the network by a user with create session privileges. It's the
*existence* of the JVM that represents the attack vector - not whether you
use it or not.
On Wed, Apr 27, 2016 at 12:24 PM, Neil Chandler <neil_chandler@xxxxxxxxxxx>
wrote:
It is a full DB down, yes, but you only need to patch the OJVM if you are
using the OJVM. Not too many sites run Java in the database.
Neil.
sent from my phone
