The Java version 7 update 10 exposes a security breach which allows for remote code execution. Use the Goverlan Remote Administration Suite to detect and define how widespread this update is found within your enterprise and automatically close the security hole by removing, downgrading and upgrading Java.
Oracle Java Security Breach CVE-2013-0422
An exploit has been recently discovered that allows for remote code execution through Java version 7 update 10 and earlier. This security breach allows someone to execute commands and code remotely. Oracle has released an update to the Java software. If your network is running Java version 7 update 10 (and earlier), you should immediately patch your systems to update 11.
More details on the exploit can be found here. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422
Plugging the Java v7u10 security hole using a Goverlan Scope Action
As its names implies, A Goverlan Scope Action is the configuration of a set of actions that is bound to a scope of objects. Since Scope Actions use a push technology to perform the configured tasks, they are perfect for emergency situations like this one where real-time actions are required.
In this blog, we will demonstrate how to detect Java v7 Update 10 (and earlier) installations on your network and how to automatically update to Java v7 update 11, using Goverlan.
The estimated time to complete this would be about 10 minutes, assuming you have all the software downloaded already. You will need:
- Goverlan Remote Administration Suite v7 (go to Goverlan.com for a free 30-day trial – full version)
- The offline installers (both 32 and 64 bit flavors) for Java v7u11 or later (http://java.com/en/download/manual.jsp)
Once you have installed Goverlan and saved the Java 7 Update 11 installers on your machine, we can get started.
Auto-Updating Java from v7-u10 (and earlier) to v7-u11
Create a new Goverlan Scope Action object (call it Java 7u10 Fix) and define the object’s scope to include all machines that you wish to scan (for instance, the entire AD domain).
Now we need to define an action module which will detect that the Java 7 Update 10 is installed on the machine and if so, automatically install the Java 7 Update 11 over it. Since we have different installers for different architectures, we will need to create two action modules. These components can be separated by reporting on them first and then determining if specific groups of computers need to be worked on.
Let me demonstrate how to create the Action Module for the 32 bit architecture, then the 64 bit one will be easy to reproduce.
Create a new Action Module, let’s call it: Java 7 update 10 Fix (32 bit)
First, let’s configure this module to detect machines installed with the Java 7 update 10 (or earlier) agent. Under the Filter Section labeled Only if the following is true select the following conditions
- Add \ Remove > Computer Condition > Software Products > Product Name. Set the condition to “Contains” and the Desired Value to “Java”
- Add \ Remove > Computer Condition > Software Products > Product Name. Set the condition to “Doesn’t Contain” and the Desired Value to “FX”
- Add \ Remove > Computer Condition > Software Products > Product Name. Set the condition to “Doesn’t Contain” and the Desired Value to “Auto”
- Add \ Remove > Computer Condition > Software Products > Product Version. Set the condition to “Doesn’t Contain” and the Desired Value to “7.0.11”
Since this is the 32 bit module, we add a condition to only target this architecture:
- Add \ Remove > Computer Condition > Computer OS Information > OS Architecture. Set the condition to “=” and the Desired Value to “32”
Now we are ready to perform actions only on those filtered machines. Let’s configure the installation of the Java 10 Update 11 (32 bit).
Under the execute section labeled Execute the following Action(s):
- Add \ Remove > Execute Computer Action > Software Products > Install Software Package
- Click on the […] button.Since we haven’t configured the Java Update package, it doesn’t show in the list of available packages, so select Add/Remove Installation Package.
- Configure two installation packages, one for the Java 10 Update 11 32 bit, and another for the 64 bit version.Since the installers are EXE based, we need to configure the argument string so that it runs in admin mode:
/s /v /norestart AUTOUPDATECHECK=0 JAVAUPDATE=0 JU=0
- Once configured, click again on the […] button of the Software Package argument field and this time select the Java update 32 bit package.
Once completed, your action module configuration should look like this:
Now we have our Action Module which will update any Java 7 update 10 (or earlier) 32 bit to the update 11. Let’s create another Action Module which does the same thing, but for 64 bit architectures (no need to give step-by-step details again!).
Finally, we have to create another Scope Action that will report the installed Java updates on all of our machines so that we can verify that all went well. Configure the Action Module of the reporting Scope Action as follows;
The resulting Action Modules window will look like this:
After we finish creating the Scope, we can run it on-demand or schedule it to run later.
Reporting the results
Configure a new Scope Action and Action Module like the one below to verify the desired results.
After running the report Scope Action, you can create an excel report, web report or text file report. I personally prefer the HTML – Datasheet model because you can filter the list very quickly with the filter controls. The final report will display the currently installed Java updates on your machines, and if all is well, you shouldn’t see any Java 7 Update 10 lurking around!
If any installs failed, simply use the “Run on Failed Nodes” option to reprocess the failed computers.
It is important to note that installing this update requires elevation for Windows Vista and above. With Goverlan, you can set the Scope Action to run as the local administrator account by using the Run As function for scope actions. Also, the Java installer updates version 7. If you have version 6 installed you will need to manually uninstall it.
Keeping up-to-date on security patches and software updates can be a daunting task but with the Goverlan Remote Administration Suite, you can identify patch and version levels real-time in your environment and remedy the situation very quickly.