navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: JRE 6u23 + FPupdater indicated as vulnerable

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Sun Microsystems
And, this specific program:
Oracle Java JRE 1.6.x / 6.x

This thread has been marked as locked.
aaaaaaaaaaaaaaaaa JRE 6u23 + FPupdater indicated as vulnerable
Member 11th Feb, 2011 22:06
Ranking: -5
Posts: 41
User Since: 15th Dec, 2008
System Score: 98%
Location: N/A

PSI 1.5.0.2 indicates Oracle JRE SE 6u23 plus the Floating Point issue updater installed as vulnerable version. I think, Secunia is aware of this updater and could force PSI to not generate an alarm in such a case.

ddmarshall RE: JRE 6u23 + FPupdater indicated as vulnerable
Dedicated Contributor 11th Feb, 2011 22:50
Score: 1219
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 11th Feb, 2011 22:53
Does running the FPUpdater tool alter the Java executable file metadata? If there is no change to the version information, there is no way for Secunia PSI to detect it has been run.

Oracle recommend using the FPUpdater tool on server systems only. If the FPUpdater tool has been used, automatic updates of Java are disabled. The FPUpdater tool will need to be run in uninstall mode before the next scheduled update.

From http://www.oracle.com/technetwork/java/javase/fpup...
The FPUpdater tool is not intended for use on systems managed through auto-update as this will disable future auto-updates. We recommend that you wait until the next Critical Patch Update (CPU) when you can update your installation by going to http://java.com/latest.

Update 24 will be released on 15 February 2011
http://blogs.oracle.com/security/2011/02/security_...



--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
aaaaaaaaaaaaaaaaa RE: JRE 6u23 + FPupdater indicated as vulnerable
Member 11th Feb, 2011 23:01
Score: -5
Posts: 41
User Since: 15th Dec 2008
System Score: 98%
Location: N/A
on 11th Feb, 2011 22:50, ddmarshall wrote:
Does running the FPUpdater tool alter the Java executable file metadata? If there is no change to the version information, there is no way for Secunia PSI to detect it has been run.

File's modification time stamp is later than file's creation time.
Patched file has same creation time stamp than other files in the same directory. Thus, my conclusion the metadata changed.

on 11th Feb, 2011 22:50, ddmarshall wrote:

Oracle recommend using the FPUpdater tool on server systems only. If the FPUpdater tool has been used, automatic updates of Java are disabled. The FPUpdater tool will need to be run in uninstall mode before the next scheduled update.

I don't think the Oracle's statement as quoted by means they recommend the update only for server systems. They're recommending it only on systems where auto-update is disabled. A server system and an auto-update are two different things. I can guaranty you, that on this system the au is disabled.

My newest observation: After had updated PSI to 2.0.0.3001 the alarm is no more presented.
Was this reply relevant?
+0
-0
ddmarshall RE: JRE 6u23 + FPupdater indicated as vulnerable
Dedicated Contributor 11th Feb, 2011 23:50
Score: 1219
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
on 11th Feb, 2011 23:01, aaaaaaaaaaaaaaaaa wrote:
File's modification time stamp is later than file's creation time.
Patched file has same creation time stamp than other files in the same directory. Thus, my conclusion the metadata changed.


I don't think the Oracle's statement as quoted by means they recommend the update only for server systems. They're recommending it only on systems where auto-update is disabled. A server system and an auto-update are two different things. I can guaranty you, that on this system the au is disabled.

My newest observation: After had updated PSI to 2.0.0.3001 the alarm is no more presented.


I based my comment about the necessity to update client systems on this section of the Oracle blog:

Note that the impact of this vulnerability on desktops is minimal: the affected applications or applets running in Internet browsers for example, might stop responding and may need to be restarted; however the desktop itself will not be compromised (i.e. no compromise at the desktop OS level). Oracle therefore recommends that consumers use the Java auto-update mechanism to get this fix. This will prompt them to install the latest version of the Java Runtime Environment 6 update 24 or higher (JRE), which includes the fix for this vulnerability. JRE 6 update 24 will also be distributed with the Java SE and Java for Business Critical Patch Update - February 2011.





--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+