Novell Products and the Oracle Java Critical Patch Update Advisory – February 2013

  • 7011765
  • 11-Feb-2013
  • 16-May-2013

Environment

Novell

Situation

This technical note provides information regarding the Oracle Java 7 Security Manager Bypass Vulnerability (CVE-2013-0422), which was reported on January 10, 2013. The Oracle web site defines this vulnerability, the products affected, and the remedy.

On Friday February 1, 2013 Oracle released Java SE Critical Patch Update Advisory – February 2013. This update includes the fix for CVE-2013-0422 with fixes for 50 additional security vulnerabilities in Java 6, Java 7, and some earlier versions. The updates relevant to Novell software are Java 7u13 and Java 6u39. Oracle strongly recommends that customers apply these updates as soon as possible.

Note: This document discusses the Java programming language. There is no relationship between the Java programming language and Javascript. Javascript is an entirely independent scripting language.

Some things you should know

  1. The affected software is the JDK and JRE distributions of Oracle Java 6 and 7

  2. The fix applies to both client and server deployments of Java including the Java plug-in and Java Web Start on every operating system (Linux, Windows, MacOS).

  3. At the present time this vulnerability is being actively exploited.

  4. Depending on the malicious software involved, the end user may be unaware that their system has been exploited.

  5. Many of Novell’s software products rely upon a secure Java programming language. Some Novell products have a private version of Java embedded within the product. These products are not vulnerable to the security issues described here. Other Novell products use the default Java runtime available on the system.

  6. An exploit cannot be accomplished by using a Novell software product. A successful exploit occurs while visiting web pages containing untrusted Java Applets or untrusted Java Web Start applications.

  7. If you choose to update Java on your systems, please do so in a staged environment and try it with your Novell software before using it in production.

Resolution

To eliminate the threat of the Oracle Java vulnerabilities you should consider updating every workstation and server to the latest security patch for the version of Java being used. This is recommended regardless of whether there is any Novell software in the environment.

There are several potential ways to accomplish this, but the two recommended most often are:

  1. Update JavaOracle recommends upgrading to Oracle Java 6 update 39 or to Oracle Java 7 update 13 and any subsequent security updates as they come available.

  2. Work around: Disable Java in Web Browsers – Oracle does not mention this option, but the United States Computer Emergency Readiness Team (US-CERT) web site, which is hosted by the U.S. Department of Homeland Security, provides this solution as an alternative to updating Java.

The print and electronic media report what industry pundits are saying about the Java vulnerabilities. Novell suggests that the links above give you the most reliable information, and that you should carefully consider all options, and make an informed choice on how your organization will respond.


Additional Information

If the set of Novell products deployed in your environment does not utilize Java applets you can disable the Java plug-in while continuing to take advantage of all the product capabilities.

However, if any of the Novell products deployed in your environment use Java applets, you will need to have a Java plug-in to use the features implemented using applets.

What follows is a list of Novell products indicating whether the product requires a Java plug-in and whether it uses Java Web Start. The list of products and their Java characteristics is evolving. Check back periodically for updates to this list.

Product name

Comment

Novell Service Desk

Does not require a Java plug-in

ZENworks Application Virtualization

Does not use the Java programming language

ZENworks Asset Management

Does not require a Java plug-in

ZENworks Asset Inventory

Does not require a Java plug-in

ZENworks Configuration Management

Does not require a Java plug-in

ZENworks Configuration Management Advanced

Uses Java Web Start to implement the Remote SSH feature

ZENworks Configuration Management Enterprise

Uses Java Web Start to implement the Remote SSH feature

ZENworks Handheld Management

Does not require a Java plug-in

ZENworks Endpoint Security Management

Does not require a Java plug-in

ZENworks Full Disk Encryption

Does not require a Java plug-in

ZENworks Linux Management

Requires a Java plug-in in order to use the Remote Control, Remote View, and Remote Login features

ZENworks Mobile Management

Does not use the Java programming language

ZENworks Patch Management

Does not require a Java plug-in

ZENworks Server Management

Does not require a Java plug-in

ZENworks Suites – Novell Endpoint Lifecycle Mgmt Suite

Refer to the constituent components of this suite

ZENworks Suites – Novell Endpoint Protection Suite

Refer to the constituent components of this suite

ZENworks Suites – Novell Total Endpoint Management Suite

Refer to the constituent components of this suite

Border Manager

This product does not use the Java programming language.

The iManager component and the plug-in for Border Manager do not require a Java plug-in.

Novell Business Continuity Clustering

Unknown whether a Java plug-in is required.

The iManager component and the plug-in for Novell Business Continuity Clustering do not require a Java plug-in

Novell Cluster Services

Unknown whether a Java plug-in is required.

The iManager component and the plug-in for Novell Cluster Services do not require a Java plug-in.

Novell File Management Suite

Refer to the constituent components of the suite

Novell Dynamic File Services

Does not use the Java programming language

Novell File Reporter

Unknown whether a Java plug-in is required

Novell Storage Manager

Unknown whether a Java plug-in is required.

Novell GroupWise

The GroupWise engine and agents do not require a Java plug-in.

The administrative features of GroupWise (ConsoleOne and snap-ins) do not require a Java plug-in.

The GroupWise Client for Macintosh does not require a Java plug-in.

The GroupWise Client for Linux does not require a Java plug-in.

The GroupWise Client for Windows does not require a Java plug-in

GroupWise WebAccess does not require a Java plug-in.

The Novell Messenger server does not require a Java plug-in.

The Novell Messenger clients for Windows, Macintosh, and Linux do not require a Java plug-in

Novell Data Synchronizer

Does not use the Java programming language

NetWare for NFS Gateway

This product does not use the Java programming language.

The iManager component and the plug-ins for NFS Gateway do not require a Java runtime.

Novell Open Workgroup Suite

Refer to the constituent components of this suite

NOWS Small Business Edition

Refer to the constituent components of this product

Novell Vibe

This product requires a Java plug-in to use the “Edit” button to edit a file, to upload files, and for the work flow builder feature.

Novell Open Enterprise Server

The eDirectory component of OES does not require a Java plug-in

The iManager component of OES and the plug-ins for iManager do not require a Java plug-in

The iPrint component of OES does not require a Java plug-in

Novell Remote Manager (NRM) requires the Java plug-in for charts and graphs.

Novell Open Enterprise Server – The remaining components do not require a Java plug-in.