Qualys Scan reports huge number of vulnerabilities in our EBS R12.2.10 servers where JDK was upgraded to 1.7.0_331. Vulnerability issue became a priority task for us due to corporate security requirement.
$ $ADJVAPRG -version
java version "1.7.0_331"
Java(TM) SE Runtime Environment (build 1.7.0_331-b06)
Java HotSpot(TM) Server VM (build 24.331-b06, mixed mode)
$ $AFJVAPRG -version
java version "1.7.0_331"
Java(TM) SE Runtime Environment (build 1.7.0_331-b06)
Java HotSpot(TM) 64-Bit Server VM (build 24.331-b06, mixed mode)
Some vulnerabilities can be addressed by applying latest CPU patches, upgrading JDK and JRE (see details).
Jar files are collection of Java classes, which are actual code running within JVM. For file $FMW_HOME/wlserver_10.3/server/lib/consoleapp/APP-INF/lib/log4j-1.2.8.jar, Oracle made fixes to it by removing Java class in it. So, it is just a name holder and has no harm.
$ unzip -l log4j-1.2.8.jar
Archive: log4j-1.2.8.jar
Length Date Time Name
--------- --------- ------- -----------------------------------
0 02-04-20 21:51 META-INF/
68 02-04-20 21:51 META-INF/MANIFEST.MF
85 02-04-20 21:50 README
-------- -------
153 3 files
Vulnerabilities also reported:
$COMMON_TOP/clone/FMW/t2pjdk/bin/java 1.7.0_85-b15 Enhanced
$COMMON_TOP/clone/FMW/t2pjdk/jre/bin/java 1.7.0_85-b15 Enhanced
(It is safe to delete above folders because they will be recreated by an adpreclone.pl run)
$COMMON_TOP/clone/jre/bin/java 1.7.0_331-b06 Enhanced
(It is not in JDK folders and so a JDK upgrade will not fix it. But it may be recreated by an adpreclone.pl run)
$COMMON_TOP/adopclone_nodeName/FMW/t2pjdk/jre/bin/java 1.7.0_85-b15 Enhanced
$COMMON_TOP/adopclone_nodeName/FMW/t2pjdk/bin/java 1.7.0_85-b15 Enhanced
$COMMON_TOP/adopclone_nodeName/jre/bin/java 1.7.0_85-b15 Enhanced
($COMMON_TOP/adopclone_nodeName may get created/updated from ADOP run, such as fs_clone. nodeName is the EBS host, where ADOP (or adpreclone.pl?) ran. )
$APPL_TOP/msc/12.0.0/bin/SNO/scp/12.2/sno/installer_jre/bin/java 1.6.0_12-b04 Enhanced
$APPL_TOP/msc/12.0.0/bin/PS/scp/12.2/ps/jre/bin/java 1.8.0_92-b14 Enhanced
Oracle support confirmed that they can be deleted and some of them will be recreated next time adpreclone.pl is run. I wrote a script to clean them on RUN file system (and on PATCH file system or run FS_CLONE).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# delete Java files for vulnerabilities by Qualys report
curr=`pwd`
echo "current path: $curr"
cd $COMMON_TOP/clone/FMW/t2pjdk/bin
pwd
ls -al java
rm -f java
cd $COMMON_TOP/clone/FMW/t2pjdk/jre/bin
pwd
ls -al java
rm -f java
cd $COMMON_TOP/clone/jre/bin
pwd
ls -al java
rm -f java
cd $APPL_TOP/msc/12.0.0/bin/SNO/scp/12.2/sno/installer_jre/bin
pwd
ls -al java
rm -f java
cd $APPL_TOP/msc/12.0.0/bin/PS/scp/12.2/ps/jre/bin
pwd
ls -al java
rm -f java
# loop folder(s) $COMMON_TOP/adopclone_*
for x in `ls -ald $COMMON_TOP/adopclone_* |egrep "^drw" |awk '{print $9}'`
do
echo Under path: $x
cd $x/jre/bin
pwd
ls -al java
rm -f java
cd $x/FMW/t2pjdk/jre/bin
pwd
ls -al java
rm -f java
cd $x/FMW/t2pjdk/bin
pwd
ls -al java
rm -f java
done
cd $curr
exit
No comments:
Post a Comment