Environment
Situation
This technical note provides information regarding the Oracle Java 7 Security Manager Bypass Vulnerability (CVE-2013-0422), which was reported on January 10, 2013. The Oracle web site defines this vulnerability, the products affected, and the remedy.
On Friday February 1, 2013 Oracle released Java SE Critical Patch Update Advisory – February 2013. This update includes the fix for CVE-2013-0422 with fixes for 50 additional security vulnerabilities in Java 6, Java 7, and some earlier versions. The updates relevant to Novell software are Java 7u13 and Java 6u39. Oracle strongly recommends that customers apply these updates as soon as possible.
Note: This document discusses the Java programming language. There is no relationship between the Java programming language and Javascript. Javascript is an entirely independent scripting language.
Some things you should know
The affected software is the JDK and JRE distributions of Oracle Java 6 and 7
The fix applies to both client and server deployments of Java including the Java plug-in and Java Web Start on every operating system (Linux, Windows, MacOS).
At the present time this vulnerability is being actively exploited.
Depending on the malicious software involved, the end user may be unaware that their system has been exploited.
Many of Novell’s software products rely upon a secure Java programming language. Some Novell products have a private version of Java embedded within the product. These products are not vulnerable to the security issues described here. Other Novell products use the default Java runtime available on the system.
An exploit cannot be accomplished by using a Novell software product. A successful exploit occurs while visiting web pages containing untrusted Java Applets or untrusted Java Web Start applications.
If you choose to update Java on your systems, please do so in a staged environment and try it with your Novell software before using it in production.
Resolution
To eliminate the threat of the Oracle Java vulnerabilities you should consider updating every workstation and server to the latest security patch for the version of Java being used. This is recommended regardless of whether there is any Novell software in the environment.
There are several potential ways to accomplish this, but the two recommended most often are:
Update Java – Oracle recommends upgrading to Oracle Java 6 update 39 or to Oracle Java 7 update 13 and any subsequent security updates as they come available.
Work around: Disable Java in Web Browsers – Oracle does not mention this option, but the United States Computer Emergency Readiness Team (US-CERT) web site, which is hosted by the U.S. Department of Homeland Security, provides this solution as an alternative to updating Java.
The print and electronic media report what industry pundits are saying about the Java vulnerabilities. Novell suggests that the links above give you the most reliable information, and that you should carefully consider all options, and make an informed choice on how your organization will respond.
Additional Information
If the set of Novell products deployed in your environment does not utilize Java applets you can disable the Java plug-in while continuing to take advantage of all the product capabilities.
However, if any of the Novell products deployed in your environment use Java applets, you will need to have a Java plug-in to use the features implemented using applets.
What follows is a list of Novell products indicating whether the product requires a Java plug-in and whether it uses Java Web Start. The list of products and their Java characteristics is evolving. Check back periodically for updates to this list.
Product name |
Comment |
Novell Service Desk |
Does not require a Java plug-in |
ZENworks Application Virtualization |
Does not use the Java programming language |
ZENworks Asset Management |
Does not require a Java plug-in |
ZENworks Asset Inventory |
Does not require a Java plug-in |
ZENworks Configuration Management |
Does not require a Java plug-in |
ZENworks Configuration Management Advanced |
Uses Java Web Start to implement the Remote SSH feature |
ZENworks Configuration Management Enterprise |
Uses Java Web Start to implement the Remote SSH feature |
ZENworks Handheld Management |
Does not require a Java plug-in |
ZENworks Endpoint Security Management |
Does not require a Java plug-in |
ZENworks Full Disk Encryption |
Does not require a Java plug-in |
ZENworks Linux Management |
Requires a Java plug-in in order to use the Remote Control, Remote View, and Remote Login features |
ZENworks Mobile Management |
Does not use the Java programming language |
ZENworks Patch Management |
Does not require a Java plug-in |
ZENworks Server Management |
Does not require a Java plug-in |
ZENworks Suites – Novell Endpoint Lifecycle Mgmt Suite |
Refer to the constituent components of this suite |
ZENworks Suites – Novell Endpoint Protection Suite |
Refer to the constituent components of this suite |
ZENworks Suites – Novell Total Endpoint Management Suite |
Refer to the constituent components of this suite |
Border Manager |
This product does not use the Java programming language. The iManager component and the plug-in for Border Manager do not require a Java plug-in. |
Novell Business Continuity Clustering |
Unknown whether a Java plug-in is required. The iManager component and the plug-in for Novell Business Continuity Clustering do not require a Java plug-in |
Novell Cluster Services |
Unknown whether a Java plug-in is required. The iManager component and the plug-in for Novell Cluster Services do not require a Java plug-in. |
Novell File Management Suite |
Refer to the constituent components of the suite |
Novell Dynamic File Services |
Does not use the Java programming language |
Novell File Reporter |
Unknown whether a Java plug-in is required |
Novell Storage Manager |
Unknown whether a Java plug-in is required. |
Novell GroupWise |
The GroupWise engine and agents do not require a Java plug-in. The administrative features of GroupWise (ConsoleOne and snap-ins) do not require a Java plug-in. The GroupWise Client for Macintosh does not require a Java plug-in. The GroupWise Client for Linux does not require a Java plug-in. The GroupWise Client for Windows does not require a Java plug-in GroupWise WebAccess does not require a Java plug-in. The Novell Messenger server does not require a Java plug-in. The Novell Messenger clients for Windows, Macintosh, and Linux do not require a Java plug-in |
Novell Data Synchronizer |
Does not use the Java programming language |
NetWare for NFS Gateway |
This product does not use the Java programming language. The iManager component and the plug-ins for NFS Gateway do not require a Java runtime. |
Novell Open Workgroup Suite |
Refer to the constituent components of this suite |
NOWS Small Business Edition |
Refer to the constituent components of this product |
Novell Vibe |
This product requires a Java plug-in to use the “Edit” button to edit a file, to upload files, and for the work flow builder feature. |
Novell Open Enterprise Server |
The eDirectory component of OES does not require a Java plug-in The iManager component of OES and the plug-ins for iManager do not require a Java plug-in The iPrint component of OES does not require a Java plug-in Novell Remote Manager (NRM) requires the Java plug-in for charts and graphs. Novell Open Enterprise Server – The remaining components do not require a Java plug-in. |