• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • IU passphrases
    • Using social media
    • Web privacy
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Account privileges
    • Vulnerability Disclosure Guidance
    • Secure data removal
    • Remote Desktop
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Storage drives
      • Wearable technologies
      • Protecting data in copiers and multifunction devices
      • Use of survey software
      • Solid State Drives
    • Cybersecurity while traveling
    • Identity verification
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Governance
    • Principles
  • Protecting Data
    • Privacy matters
      • Privacy harms
      • Privacy principles
      • Understanding and protecting privacy
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Training & awareness
      • Incident Response Webservice
      • Penetration test
      • SSL/TLS certificates
      • Vulnerability scanners
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Keeping data safe
    • Email & phishing scams
    • IU passphrases
    • Using social media
    • Web privacy
    • File sharing & copyright
    • Account privileges
    • Vulnerability Disclosure Guidance
    • Secure data removal
    • Remote Desktop
    • Hardware & software security
    • Cybersecurity while traveling
    • Identity verification
  • Information & IT Policies
    • The Policy Hierarchy explained
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • Federal & international regulations
    • Indiana Data Protection laws FAQ
    • IT-12.1 Mobile Device Security Standard
  • Information Security & Privacy Program
    • Safeguards
    • Governance
    • Principles
  • Protecting Data
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Professionals
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • Actively Exploited Zero-Day Java Vulnerability - Updated

Actively Exploited Zero-Day Java Vulnerability - Updated

Monday, July 13, 2015

Update

On July 14, 2015 Oracle released Version 8 Update 51 for workstations.

The Oracle Critical Patch Update Advisory includes a list of affected product releases and versions with patch availability.

Background

On July 11th, 2015, a new zero-day vulnerability was identified in Oracle Java 8 version 1.80_45. External security groups report that this vulnerability is actively being exploited in the wild.

Impact

Browsing the web with a vulnerable version of Java JRE installed means that simply visiting a website is enough for an attacker to compromise your computer. This is known as a "drive-by download".

While "safe browsing" to only trusted websites may limit your exposure to drive-by downloads, it does not address the underlying vulnerability nor does it prevent exploitation. Please see "UISO Recommendations" and "Workarounds" below for further steps that must be taken.

Platforms Affected

  • Application Express, version(s) prior to 5.0
  • Oracle Database Server, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
  • Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
  • Oracle Fusion Middleware, version(s) 10.3.6.0, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 12.1.1, 12.1.2, 12.1.3
  • Oracle Access Manager, version(s) 11.1.1.7, 11.1.2.2
  • Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9
  • Oracle Business Intelligence Enterprise Edition, Mobile App version(s) prior to 11.1.1.7.0 (11.6.39)
  • Oracle Data Integrator, version(s) 11.1.1.3.0
  • Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7
  • Endeca Information Discovery Studio, version(s) 2.2.2, 2.3, 2.4, 3.0, 3.1
  • Oracle Event Processing, version(s) 11.1.1.7, 12.1.3.0
  • Oracle Exalogic Infrastructure, version(s) 2.0.6.2
  • Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
  • Oracle iPlanet Web Proxy Server, version(s) 4.0
  • Oracle iPlanet Web Server, version(s) 6.1, 7.0
  • Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0
  • Oracle OpenSSO, version(s) 3.0-05
  • Oracle Traffic Director, version(s) 11.1.1.7.0
  • Oracle Tuxedo, version(s) SALT 10.3, SALT 11.1.1.2.2, Tuxedo 12.1.1.0
  • Oracle Web Cache, version(s) 11.1.1.7.0
  • Oracle WebCenter Portal, version(s) 11.1.1.8.0, 11.1.1.9.0
  • Oracle WebCenter Sites, version(s) 11.1.1.6.1 Community, 11.1.1.8.0 Community, 12.2.1.0
  • Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
  • Hyperion Common Security, version(s) 11.1.2.2, 11.1.2.3, 11.1.2.4
  • Hyperion Enterprise Performance Management Architect, version(s) 11.1.2.2, 11.1.2.3
  • Hyperion Essbase, version(s) 11.1.2.2, 11.1.2.3
  • Enterprise Manager Base Platform, version(s) 11.1.0.1
  • Enterprise Manager for Oracle Database, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4
  • Enterprise Manager Plugin for Oracle Database, version(s) 12.1.0.5, 12.1.0.6, 12.1.0.7
  • Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
  • Oracle Agile PLM, version(s) 9.3.4
  • Oracle Agile PLM Framework, version(s) 9.3.3
  • Oracle Agile Product Lifecycle Management for Process, version(s) 6.0.0.7, 6.1.0.3, 6.1.1.5, 6.2.0.0
  • Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
  • PeopleSoft Enterprise HCM Candidate Gateway, version(s) 9.1, 9.2
  • PeopleSoft Enterprise HCM Talent Acquisition Manager, version(s) 9.1, 9.2
  • PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54
  • PeopleSoft Enteprise Portal - Interaction Hub, version(s) 9.1.00
  • Siebel Apps - E-Billing, version(s) 6.1, 6.1.1, 6.2
  • Siebel Core - Server OM Svcs, version(s) 8.1.1, 8.2.2, 15.0
  • Siebel UI Framework, version(s) 8.1.1, 8.2.2, 15.0
  • Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.0.2, 3.1.1, 3.1.2, 11.0, 11.1
  • Oracle Communications Messaging Server, version(s) 7.0
  • Oracle Communications Session Border Controller, version(s) prior to 7.2.0m4
  • Oracle Java FX, version(s) 2.2.80
  • Oracle Java SE, version(s) 6u95, 7u80, 8u45
  • Oracle Java SE Embedded, version(s) 7u75, 8u33
  • Oracle JRockit, version(s) R28.3.6
  • Fujitsu M10-1, M10-4, M10-4S Servers, version(s) XCP prior to XCP 2260
  • Integrated Lights Out Manager (ILOM), version(s) prior to 3.2.6
  • Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64, version(s) prior to 1.9.1.2
  • Oracle Switch ES1-24, version(s) prior to 1.3.1
  • Oracle VM Server for SPARC, version(s) 3.2
  • SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) XCP prior to XCP 1120
  • Solaris, version(s) 10, 11.2
  • Solaris Cluster, version(s) 3.3, 4.2
  • Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2
  • Sun Network 10GE Switch 72p, version(s) prior to 1.2.2
  • Secure Global Desktop, version(s) 4.63, 4.71, 5.1, 5.2
  • Sun Ray Software, version(s) prior to 5.4.4
  • Oracle VM VirtualBox, version(s) prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30
  • MySQL Server, version(s) 5.5.43 and earlier, 5.6.24 and earlier
  • Oracle Berkeley DB, version(s) 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35

UISO Response

Using network sensors, the University Information Security Office (UISO) monitors the IU network for devices being exploited via drive-by-downloads and rootkits. This activity is expected to increase in the coming weeks. The successful compromise of a device will result in the device being blocked from the network (see KB doc https://kb.iu.edu/d/aliu).

When a patch is made available, the University Information Policy Office (UIPO) will leverage the Secunia Corporate Software Inspector (CSI) to distribute the patch to systems configured to use IU's Microsoft Update Service (see KB doc https://kb.iu.edu/d/arlc).

For devices configured to use IU's Global Config Manager Service, patches will be available in production as soon as testing can be completed.

After a reasonable amount of time, users who continue to run vulnerable versions of Java will be directly notified via email.

UISO Recommendations

  • Regularly check for, update, and remove old versions of Java.
  • Don't click on web popups, but close the window instead. If they won't close, open your process list and force your browser to close.

Workarounds

Disable Java. This workaround may prevent certain websites from working correctly.

Install the Microsoft Enhanced Mitigation Experience Toolkit (EMET) and configure it to protect Java.

Further Reading

  • In Windows, how can I check for, update, and remove old versions of Java?
  • What is a drive-by download?
  • Oracle Security Advisories.

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | Privacy Notice | Copyright © 2021 The Trustees of Indiana University