Update

On July 14, 2015 Oracle released Version 8 Update 51 for workstations.

The Oracle Critical Patch Update Advisory includes a list of affected product releases and versions with patch availability.

Background

On July 11th, 2015, a new zero-day vulnerability was identified in Oracle Java 8 version 1.80_45. External security groups report that this vulnerability is actively being exploited in the wild.

Impact

Browsing the web with a vulnerable version of Java JRE installed means that simply visiting a website is enough for an attacker to compromise your computer. This is known as a "drive-by download".

While "safe browsing" to only trusted websites may limit your exposure to drive-by downloads, it does not address the underlying vulnerability nor does it prevent exploitation. Please see "UISO Recommendations" and "Workarounds" below for further steps that must be taken.

Platforms Affected

• Application Express, version(s) prior to 5.0
• Oracle Database Server, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
• Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
• Oracle Fusion Middleware, version(s) 10.3.6.0, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 12.1.1, 12.1.2, 12.1.3
• Oracle Access Manager, version(s) 11.1.1.7, 11.1.2.2
• Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9
• Oracle Business Intelligence Enterprise Edition, Mobile App version(s) prior to 11.1.1.7.0 (11.6.39)
• Oracle Data Integrator, version(s) 11.1.1.3.0
• Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7
• Endeca Information Discovery Studio, version(s) 2.2.2, 2.3, 2.4, 3.0, 3.1
• Oracle Event Processing, version(s) 11.1.1.7, 12.1.3.0
• Oracle Exalogic Infrastructure, version(s) 2.0.6.2
• Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
• Oracle iPlanet Web Proxy Server, version(s) 4.0
• Oracle iPlanet Web Server, version(s) 6.1, 7.0
• Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0
• Oracle OpenSSO, version(s) 3.0-05
• Oracle Traffic Director, version(s) 11.1.1.7.0
• Oracle Tuxedo, version(s) SALT 10.3, SALT 11.1.1.2.2, Tuxedo 12.1.1.0
• Oracle Web Cache, version(s) 11.1.1.7.0
• Oracle WebCenter Portal, version(s) 11.1.1.8.0, 11.1.1.9.0
• Oracle WebCenter Sites, version(s) 11.1.1.6.1 Community, 11.1.1.8.0 Community, 12.2.1.0
• Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
• Hyperion Common Security, version(s) 11.1.2.2, 11.1.2.3, 11.1.2.4
• Hyperion Enterprise Performance Management Architect, version(s) 11.1.2.2, 11.1.2.3
• Hyperion Essbase, version(s) 11.1.2.2, 11.1.2.3
• Enterprise Manager Base Platform, version(s) 11.1.0.1
• Enterprise Manager for Oracle Database, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4
• Enterprise Manager Plugin for Oracle Database, version(s) 12.1.0.5, 12.1.0.6, 12.1.0.7
• Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
• Oracle Agile PLM, version(s) 9.3.4
• Oracle Agile PLM Framework, version(s) 9.3.3
• Oracle Agile Product Lifecycle Management for Process, version(s) 6.0.0.7, 6.1.0.3, 6.1.1.5, 6.2.0.0
• Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
• PeopleSoft Enterprise HCM Candidate Gateway, version(s) 9.1, 9.2
• PeopleSoft Enterprise HCM Talent Acquisition Manager, version(s) 9.1, 9.2
• PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54
• PeopleSoft Enteprise Portal - Interaction Hub, version(s) 9.1.00
• Siebel Apps - E-Billing, version(s) 6.1, 6.1.1, 6.2
• Siebel Core - Server OM Svcs, version(s) 8.1.1, 8.2.2, 15.0
• Siebel UI Framework, version(s) 8.1.1, 8.2.2, 15.0
• Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.0.2, 3.1.1, 3.1.2, 11.0, 11.1
• Oracle Communications Messaging Server, version(s) 7.0
• Oracle Communications Session Border Controller, version(s) prior to 7.2.0m4
• Oracle Java FX, version(s) 2.2.80
• Oracle Java SE, version(s) 6u95, 7u80, 8u45
• Oracle Java SE Embedded, version(s) 7u75, 8u33
• Oracle JRockit, version(s) R28.3.6
• Fujitsu M10-1, M10-4, M10-4S Servers, version(s) XCP prior to XCP 2260
• Integrated Lights Out Manager (ILOM), version(s) prior to 3.2.6
• Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64, version(s) prior to 1.9.1.2
• Oracle Switch ES1-24, version(s) prior to 1.3.1
• Oracle VM Server for SPARC, version(s) 3.2
• SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) XCP prior to XCP 1120
• Solaris, version(s) 10, 11.2
• Solaris Cluster, version(s) 3.3, 4.2
• Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2
• Sun Network 10GE Switch 72p, version(s) prior to 1.2.2
• Secure Global Desktop, version(s) 4.63, 4.71, 5.1, 5.2
• Sun Ray Software, version(s) prior to 5.4.4
• Oracle VM VirtualBox, version(s) prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30
• MySQL Server, version(s) 5.5.43 and earlier, 5.6.24 and earlier
• Oracle Berkeley DB, version(s) 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

UISO Response

Using network sensors, the University Information Security Office (UISO) monitors the IU network for devices being exploited via drive-by-downloads and rootkits. This activity is expected to increase in the coming weeks. The successful compromise of a device will result in the device being blocked from the network (see KB doc https://kb.iu.edu/d/aliu).

When a patch is made available, the University Information Policy Office (UIPO) will leverage the Secunia Corporate Software Inspector (CSI) to distribute the patch to systems configured to use IU's Microsoft Update Service (see KB doc https://kb.iu.edu/d/arlc).

For devices configured to use IU's Global Config Manager Service, patches will be available in production as soon as testing can be completed.

After a reasonable amount of time, users who continue to run vulnerable versions of Java will be directly notified via email.

UISO Recommendations

• Regularly check for, update, and remove old versions of Java.
• Don't click on web popups, but close the window instead. If they won't close, open your process list and force your browser to close.

Workarounds

Disable Java. This workaround may prevent certain websites from working correctly.

Install the Microsoft Enhanced Mitigation Experience Toolkit (EMET) and configure it to protect Java.

Further Reading

• In Windows, how can I check for, update, and remove old versions of Java?
• What is a drive-by download?
• Oracle Security Advisories.