Secunia – Patching Java

This post contains the steps necessary steps to patching Java with Secunia since things don’t seem to work out of the gate. The main problem seems to be that Secunia didn’t provision for having both x64 and x86 java on x64 systems. I was able to create 3 custom patches using Applicability Rules to get the right patch to the right place.

Overview:

  • Create an install script.
  • Extract the msi files.
  • Create a custom package for installing x64 Java on x64 machines.
  • Create a custom package for installing x86 Java on x64 machines.
  • Create a custom package for installing x86 Java on x86 machines.
  • Test the packages with an SPS.exe file.
  • Deploy the packages.

The Process

Create an Install Script

I received the following script from Secunia support. Save this script as ‘PatchJava.xml’ on a system with Secunia CSI Console installed.

<!--?xml version="1.0" encoding="UTF-8" standalone="yes"?-->
	<![CDATA[Update Sun Java JRE 1.6.x to 6u31 (x64 for 64-bit systems)]]>

	<![CDATA[var Title = "Custom Update Sun Java JRE 1.6.x - 4";
var GUID = "3c16e659-3c45-49ef-897e-4a8b8c22a0fd";
var userSpecficParams = "ADDLOCAL=ALL JAVAUPDATE=0 AUTOUPDATECHECK=0 JU=0 REBOOT=ReallySupress /qn";

// NOTE - keep the GUID and title variables already set up in the default script.

// Note - this assumes that the file order of the included files, whether they be // local files or dynamically downloaded files, is as follows:

//Data1.cab
//jre1.6.0_31.msi

function main() {

	if ( !GUID ) {
		server.logMessage("No GUID supplied for package " + Title);
		return 1;
	}

	server.logMessage("Running package " + Title);
	server.logMessage("GUID : " + GUID);

	// There must be at least 3 embedded files (this script is the first one)
	var numFiles = server.numberOfFiles;
	if ( numFiles < 3 ) {
		server.logMessage("Incorrect number of embedded files. Aborting.");
		return 1;
	}

	var filename, shell, sys, temp, tempPath, outdir; // Declare variables we use below

	// Set up the directory the files will be extracted to and run from
	shell = new ActiveXObject( "WScript.Shell" );
	temp = shell.ExpandEnvironmentStrings( "%TEMP%" );
	sys = new ActiveXObject( "Scripting.FileSystemObject" );
	tempPath = temp + "\\\\" + GUID;
	try {
		if ( sys.FolderExists( tempPath ) ) {
			outdir = sys.GetFolder( tempPath );
		} else {
			outdir = sys.CreateFolder( tempPath );
		}
	} catch ( ex ) {
		server.logMessage( "Exception with get/create temporary directory " + ex.number + " : " + ex.message );
		return 1;
	}

	// First, extract all the files into the outdir created/found above and get the full path names into
	// an array that we can reference later
	var extractedFileNamesWithPath = [];
	for ( var i=1; i <= 2; i++ ) {
		filename = server.getFilename( i );
		if ( !filename ) {
			server.logMessage( "Cannot read filename: " + filename + "  from file. Corrupted file." );
			return 1;
		}

		tempFileWithPath = outdir.Path + "\\\\" + filename;

		// Check integrity of file
		sha1Sum = server.getSHA1Sum( i ); // file at index i
		if ( !sha1Sum ) {
			server.logMessage( "Cannot read SHA1SUM from file. Corrupted file." );
			return 1;
		}
		try {
			server.extractFile( i, tempFileWithPath ); // file at index i
		} catch ( ex ) {
			server.logMessage( "Error when extracting file " + ex.number + " : " + ex.message + "File may already exist." );
		}
		sha1SumCalc = server.getSHA1Sum( tempFileWithPath );
		if ( sha1SumCalc !== sha1Sum ) {
			server.logMessage( "Wrong SHA1SUM. Corrupted file." );
			return 1;
		}

		// File is ok - store the tempFileWithPath into our array
		extractedFileNamesWithPath[ extractedFileNamesWithPath.length ] = tempFileWithPath;
	}

	// We need to the appropriate command on the 5 extracted files.  i.e. if they were called: File0, File1, ..., File4
	//

	 var commandLine = "%WINDIR%\\SYSTEM32\\msiexec.exe /package " + extractedFileNamesWithPath[1] + " " + userSpecficParams;
	server.logMessage("Executing: " + commandLine);
	var exec = shell.Exec( commandLine );

	wait( exec, 3 * 3600 * 1000 ); // timeout in 3 hours

	if ( !exec.Status ) {
		server.logMessage("Executed " + commandLine + ", but failed to complete. Abandoning.");
		exec.Terminate();
		wait( exec, 300 * 1000 ); // timeout in 5 mins
		sys.DeleteFolder( outdir.Path );
		return 1;
	} else {
		server.logMessage("Executed " + commandLine + ", return status is " + exec.ExitCode);
		shell.RegWrite( "HKLM\\Software\\Secunia\\Updates\\Installed\\" + GUID + "\\", Title );
		sys.DeleteFolder( outdir.Path );
	}
}

// The function waits for the command to complete its execution or timeout
function wait( execObject, timeout ) {
    var start = ( new Date() ).valueOf();
    while ( 0 === execObject.Status && (new Date()).valueOf()-start < timeout ) { 		server.sleep(1000);     } }   main();]]>
	<source /><![CDATA[JScript]]>

		<![CDATA[C:\workingtemp\jre1.6.0_31_x64\Data1.cab]]>
		<![CDATA[C:\workingtemp\jre1.6.0_31_x64\jre1.6.0_31.msi]]>

		<![CDATA[C:\Program Files\Java\jre6\bin\java.exe]]>

		<![CDATA[false]]>

	<![CDATA[only64]]>
	<![CDATA[false]]>
	<![CDATA[false]]>
	<![CDATA[false]]>
	<![CDATA[false]]>

Extract the msi files.

To extract the msi files from the Java downloads, follow the instructions on Oracle’s site here: How do I deploy Java using Active Directory across a network?.

Custom Package – x64 Java on x64 machines

  1. Open Secunia CSI and Navigate to Patch -> Secure Package System (SPS)
  2. Click ‘New Custom Package’
  3. Click the button ‘Import Package’ and select the xml update package created for Java.
  4. On the ‘Import Package Content’ dialog box click “OK”.
  5. Click ‘Next’ once the package is imported.
  6. On the ‘Step 2 of 4: Package Contents’ screen, right-click to remove both files under the ‘Files to Include’ Frame.
  7. Click ‘Add local file’ and select “Data1.cab” from your java installation source. Note: it’s important that the files be deleted and re-imported even if the current paths seem correct. Also, it’s important that data1.cab be imported first and the msi file imported second.
  8. Click ‘Add local file’ and select “jre1.6.0_31.msi’ from your java installation source.
  9. Click ‘Create SPS File’, and run the file on a target system. It should update your x64 java!
  10. Click ‘Next’.
  11. On the ‘Step 3 of 4: Applicability Criteria – Paths’ screen, un-check the ‘Mark Package as “Always Installable”‘ checkbox.
  12. Click ‘Next’.
  13. On the ‘Step 4 of 4: Applicability Criteria – Rules’ screen, under the “System Applicability” frame select “64-Bit Systems Only”.
  14. Un-Check the “Do not include Step 3 applicability Paths in XML File” checkbox, then click “Export Package Content”. Save the package file as “Java Package – x64 for x64.xml”.
  15. Click “Publish” to publish your package.

Custom Package – x86 Java on x64 Machines

Use the same general process as the first package, but with the following modifications:

  • On the ‘Step 1 of 4: Package Configuration’ screen, rename the package according to the architecture.
  • On steps 7-8, import the x86 versions of data1.cab and jre1.6.0_31.msi.
  • On the ‘Step 3 of 4: Applicability Criteria’ screen, remove all the applicability paths, then add the following: “C:\Program Files (x86)\Java\jre6\bin\java.exe”.

Custom Package – x86 Java on x86 Machines

Use the same general process as the first package, but with the following modifications:

  • On the ‘Step 1 of 4: Package Configuration’ screen, rename the package according to the architecture.
  • On steps 7-8, import the x86 versions of data1.cab and jre1.6.0_31.msi.
  • On step 13, select “32-Bit Systems Only”.

Grats! You should now have a working Java update.

Advertisements

7 thoughts on “Secunia – Patching Java

  1. Pingback: Installscript reference | Myoasishomedec

  2. Pingback: Installscript reference | Myoasishomedec

  3. Hi,

    I think your xml file is incomplete, it seems to be missing information. It cant be imported to CSI 5.0

    Can u update it with a proper xml ?

    Remco

    • Remco, the xml failed for me too. Try this: create a new custom package, and copy the new package’s GUID to the clipboard, then cancel the new package creation. Edit the xml and replace the xml’s GUID with the one copied to the clipboard. Save and re-import — does that work? I’m using CSI 5.

  4. Pingback: Table of Contents | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s