Secunia – Patching Java

This post contains the steps necessary steps to patching Java with Secunia since things don’t seem to work out of the gate. The main problem seems to be that Secunia didn’t provision for having both x64 and x86 java on x64 systems. I was able to create 3 custom patches using Applicability Rules to get the right patch to the right place.

Overview:

  • Create an install script.
  • Extract the msi files.
  • Create a custom package for installing x64 Java on x64 machines.
  • Create a custom package for installing x86 Java on x64 machines.
  • Create a custom package for installing x86 Java on x86 machines.
  • Test the packages with an SPS.exe file.
  • Deploy the packages.

The Process

Create an Install Script

I received the following script from Secunia support. Save this script as ‘PatchJava.xml’ on a system with Secunia CSI Console installed.

<!--?xml version="1.0" encoding="UTF-8" standalone="yes"?-->
	<![CDATA[Update Sun Java JRE 1.6.x to 6u31 (x64 for 64-bit systems)]]>

	<![CDATA[var Title = "Custom Update Sun Java JRE 1.6.x - 4";
var GUID = "3c16e659-3c45-49ef-897e-4a8b8c22a0fd";
var userSpecficParams = "ADDLOCAL=ALL JAVAUPDATE=0 AUTOUPDATECHECK=0 JU=0 REBOOT=ReallySupress /qn";

// NOTE - keep the GUID and title variables already set up in the default script.

// Note - this assumes that the file order of the included files, whether they be // local files or dynamically downloaded files, is as follows:

//Data1.cab
//jre1.6.0_31.msi

function main() {

	if ( !GUID ) {
		server.logMessage("No GUID supplied for package " + Title);
		return 1;
	}

	server.logMessage("Running package " + Title);
	server.logMessage("GUID : " + GUID);

	// There must be at least 3 embedded files (this script is the first one)
	var numFiles = server.numberOfFiles;
	if ( numFiles < 3 ) {
		server.logMessage("Incorrect number of embedded files. Aborting.");
		return 1;
	}

	var filename, shell, sys, temp, tempPath, outdir; // Declare variables we use below

	// Set up the directory the files will be extracted to and run from
	shell = new ActiveXObject( "WScript.Shell" );
	temp = shell.ExpandEnvironmentStrings( "%TEMP%" );
	sys = new ActiveXObject( "Scripting.FileSystemObject" );
	tempPath = temp + "\\\\" + GUID;
	try {
		if ( sys.FolderExists( tempPath ) ) {
			outdir = sys.GetFolder( tempPath );
		} else {
			outdir = sys.CreateFolder( tempPath );
		}
	} catch ( ex ) {
		server.logMessage( "Exception with get/create temporary directory " + ex.number + " : " + ex.message );
		return 1;
	}

	// First, extract all the files into the outdir created/found above and get the full path names into
	// an array that we can reference later
	var extractedFileNamesWithPath = [];
	for ( var i=1; i <= 2; i++ ) {
		filename = server.getFilename( i );
		if ( !filename ) {
			server.logMessage( "Cannot read filename: " + filename + "  from file. Corrupted file." );
			return 1;
		}

		tempFileWithPath = outdir.Path + "\\\\" + filename;

		// Check integrity of file
		sha1Sum = server.getSHA1Sum( i ); // file at index i
		if ( !sha1Sum ) {
			server.logMessage( "Cannot read SHA1SUM from file. Corrupted file." );
			return 1;
		}
		try {
			server.extractFile( i, tempFileWithPath ); // file at index i
		} catch ( ex ) {
			server.logMessage( "Error when extracting file " + ex.number + " : " + ex.message + "File may already exist." );
		}
		sha1SumCalc = server.getSHA1Sum( tempFileWithPath );
		if ( sha1SumCalc !== sha1Sum ) {
			server.logMessage( "Wrong SHA1SUM. Corrupted file." );
			return 1;
		}

		// File is ok - store the tempFileWithPath into our array
		extractedFileNamesWithPath[ extractedFileNamesWithPath.length ] = tempFileWithPath;
	}

	// We need to the appropriate command on the 5 extracted files.  i.e. if they were called: File0, File1, ..., File4
	//

	 var commandLine = "%WINDIR%\\SYSTEM32\\msiexec.exe /package " + extractedFileNamesWithPath[1] + " " + userSpecficParams;
	server.logMessage("Executing: " + commandLine);
	var exec = shell.Exec( commandLine );

	wait( exec, 3 * 3600 * 1000 ); // timeout in 3 hours

	if ( !exec.Status ) {
		server.logMessage("Executed " + commandLine + ", but failed to complete. Abandoning.");
		exec.Terminate();
		wait( exec, 300 * 1000 ); // timeout in 5 mins
		sys.DeleteFolder( outdir.Path );
		return 1;
	} else {
		server.logMessage("Executed " + commandLine + ", return status is " + exec.ExitCode);
		shell.RegWrite( "HKLM\\Software\\Secunia\\Updates\\Installed\\" + GUID + "\\", Title );
		sys.DeleteFolder( outdir.Path );
	}
}

// The function waits for the command to complete its execution or timeout
function wait( execObject, timeout ) {
    var start = ( new Date() ).valueOf();
    while ( 0 === execObject.Status && (new Date()).valueOf()-start < timeout ) { 		server.sleep(1000);     } }   main();]]>
	<source /><![CDATA[JScript]]>

		<![CDATA[C:\workingtemp\jre1.6.0_31_x64\Data1.cab]]>
		<![CDATA[C:\workingtemp\jre1.6.0_31_x64\jre1.6.0_31.msi]]>

		<![CDATA[C:\Program Files\Java\jre6\bin\java.exe]]>

		<![CDATA[false]]>

	<![CDATA[only64]]>
	<![CDATA[false]]>
	<![CDATA[false]]>
	<![CDATA[false]]>
	<![CDATA[false]]>

Extract the msi files.

To extract the msi files from the Java downloads, follow the instructions on Oracle’s site here: How do I deploy Java using Active Directory across a network?.

Custom Package – x64 Java on x64 machines

  1. Open Secunia CSI and Navigate to Patch -> Secure Package System (SPS)
  2. Click ‘New Custom Package’
  3. Click the button ‘Import Package’ and select the xml update package created for Java.
  4. On the ‘Import Package Content’ dialog box click “OK”.
  5. Click ‘Next’ once the package is imported.
  6. On the ‘Step 2 of 4: Package Contents’ screen, right-click to remove both files under the ‘Files to Include’ Frame.
  7. Click ‘Add local file’ and select “Data1.cab” from your java installation source. Note: it’s important that the files be deleted and re-imported even if the current paths seem correct. Also, it’s important that data1.cab be imported first and the msi file imported second.
  8. Click ‘Add local file’ and select “jre1.6.0_31.msi’ from your java installation source.
  9. Click ‘Create SPS File’, and run the file on a target system. It should update your x64 java!
  10. Click ‘Next’.
  11. On the ‘Step 3 of 4: Applicability Criteria – Paths’ screen, un-check the ‘Mark Package as “Always Installable”‘ checkbox.
  12. Click ‘Next’.
  13. On the ‘Step 4 of 4: Applicability Criteria – Rules’ screen, under the “System Applicability” frame select “64-Bit Systems Only”.
  14. Un-Check the “Do not include Step 3 applicability Paths in XML File” checkbox, then click “Export Package Content”. Save the package file as “Java Package – x64 for x64.xml”.
  15. Click “Publish” to publish your package.

Custom Package – x86 Java on x64 Machines

Use the same general process as the first package, but with the following modifications:

  • On the ‘Step 1 of 4: Package Configuration’ screen, rename the package according to the architecture.
  • On steps 7-8, import the x86 versions of data1.cab and jre1.6.0_31.msi.
  • On the ‘Step 3 of 4: Applicability Criteria’ screen, remove all the applicability paths, then add the following: “C:\Program Files (x86)\Java\jre6\bin\java.exe”.

Custom Package – x86 Java on x86 Machines

Use the same general process as the first package, but with the following modifications:

  • On the ‘Step 1 of 4: Package Configuration’ screen, rename the package according to the architecture.
  • On steps 7-8, import the x86 versions of data1.cab and jre1.6.0_31.msi.
  • On step 13, select “32-Bit Systems Only”.

Grats! You should now have a working Java update.

Secunia – Scanning and Patching

So you made it this far. Great! Let’s scan your network and publish a patch.

Overview

  • Configure your Network Appliance Agent.
  • Create a Network Appliance Group.
  • Run a scan.
  • Publish a patch.

The Process

Configure the Network Appliance Agent

  1. Navigate to Scanning -> Remote Scanning Via Agents -> Network Appliance Agents. Then right-click your NAA and choose ‘Edit Configuration’.
  2. On the ‘Configuration for Network Appliance Agent’ wizard, configure a check-in frequency and set your maximum simultaneous inspections. I’m running 30 simultaneous inspections on my dedicated scanning VM and haven’t noticed a significant amount of load.

Create a Network Appliance Group

  1. Navigate to Scanning -> Remote Scanning Via Agents -> Network Appliance Groups, then click “New Group”.
  2. Enter a name for the network group, then select a scan type. I chose scan type 1.
  3. On the ‘IP Networks’ tab, enter your gateway and netmask, then click “add”.
  4. On the ‘Agents’ tab, check the box next to your NAA.
  5. On the ‘Scheduling’ tab, configure your scanning schedule, choose “Scan group as soon as possible”, then click “Save”.
  6. Your network appliance group should now be included in the list.

Publish a Patch

  1. Once your scan results come in, navigate to Patch -> Secunia Package System (SPS). Right-click any software program highlighted in blue and choose “Create Update Package”.
  2. On ‘Step 1 of 4: Package Configuration’, click “Next”.
  3. My install skips step 2 for some reason. On ‘Step 3 of 4: Applicability Criteria – Paths’ click “Next”.
  4. On ‘Step 4 of 4: Applicability Criteria – Rules’ click “Publish”.
  5. Run a WSUS Repository synchronization in SCCM, and create a search folder for the vendor of the application you published a patch for. It should show up and be ready for deployment! Pretty cool!

So that’s the Secunia workflow. Stay tuned for a post on SCCM deployment of CSI host and PSI agents.

Installing and Configuring Secunia

Now that you know how cool it is, let’s install and try out the product. This post will cover the initial install and configuration of Secunia. Part 2 will cover network scanning and actually publishing a patch.

Overview

  • Download and Install the CSI Console
  • Connect the CSI Console to your SCCM Server
  • Install a CSI Network Appliance Agent
  • Run a network scan
  • Create a package
  • Publish the package to SCCM

Prerequisites

  • A workstation to run CSI Console.
  • A server to run CSI in Network Appliance mode.
  • A SCCM Server with the SUP role configured.
  • A user account for the Network Appliance service that has admin rights on all target\client computers.

The Process

Download and Install the CSI Console

  1. Download the Secunia CSI Console from the following web page (after login).
    https://ca.secunia.com/
  2. Double-click the setup file “CSISetup.exe” to begin installation.
  3. On the ‘Welcome to the CSI Setup’ screen, click “Next”.
  4. On the ‘License Agreement’ screen check the box and click Next.
  5. On the ‘Readme Information’ screen click “Next”.
  6. On the ‘Choose Install Location’ screen click “Next”.
  7. On the ‘Completing the CSI Setup’ screen click “Finish”.
  8. When prompted to launch Secunia CSI, click “Yes”.
  9. Login to the CSI Console using your Customer Credentials.
  10. Secunia will load if your internet connection is active.
  11. Congrats! The software is installed and launched.

Connecting CSI Console to the SCCM Server

  1. Click Start -> Run, then type “inetcpl.cpl” to load “Internet Options”
  2. On the “Security” tab, click “Trusted Sites” then click the “Sites” button.
  3. Add the following site to the trusted sites list then click “Close”:
    https://csi5.secunia.com
  4. On the Internet Options window, click “OK”.
  5. In Secunia CSI navigate to Patch -> WSUS Configuration, then click “Configure Upsteam Servers”.
  6. If using SCCM, enter the SCCM server hostname and port, then click “Use SSL”, then click “Connect”. The default SCCM WSUS Port number for SSL is 8531.
  7. Next, Secunia asks you to configure the certificate. If you already have a WSUS Signing Certificate, for example from using System Center Updates Publisher, then close the wizard because parts 2 and 3 are not necessary. If you are sure that you do not have a WSUS Signing Certificate, click “Automatically create and install certificate”.
  8. I can’t show the wizard step 3, because importing a new signing certificate would break my WSUS server. However, step 3 just creates a group policy object for the distribution of the certificate to your active directory clients. The process can be seen manually in my previous blog post “Pushing the SCUP Certificate to Clients“.

Install a Network Appliance Agent

  1. Navigate to Scanning -> Remote Scanning Via Agents -> Download Network Agent, then click “csia.exe” to download the agent.
  2. Log into the server designated for the NAA agent as the user with which you’d like to run the service. The user must be an administrator on the host and any clients that will be scanned. I did not have success with the NAA when installing the service using runas, or by configuring the service properties in services.msc. The service would start, but would not report back to the CSI Server.
  3. Once logged into the server, run the following command:
    mkdir %programfiles%\secunia
  4. Now, copy csia.exe into %programfiles%\secunia
  5. Now, run the command prompt, run the following commands to install the agent service:
    CD /D %programfiles%\Secunia
    csia.exe -A -i --skip-wait
  6. In CSI Console, navigate to Scanning -> Remote Scanning Via Agents -> Network Appliance Agents. After 4-5 minutes, you should now see the NAA server appear in this list.

Congrats! You are now ready to start scanning and patching your network clients! Look to part 2 for configuring a Network Appliance Group, initiating a scan, and publishing a patch.

Secunia and SCCM – Overview

Secunia takes a lot of the work out of patching applications across the fleet. It runs as an independent agent\scanner which creates a software inventory database of clients on your network. You can then create individual ‘update packages’ and push them to your WSUS server (and\or SCCM server). The best part is that Secunia handles package creation for most applications — you don’t need to know the install\uninstall switches of every application. Here’s a quick overview of how Secunia works and looks. The next post will cover the actual installation and configuration.

Overview

Secunia needs to get a software inventory to function. It can do this via remote scanning or agent-based scanning. Remote scanning refers to scanning a group of agent-less computers on your network via a central server. Agent-based scanning refers to installing an agent on your host that scans itself and reports back to the central server. Remote scanning requires only a couple firewall holes and works well for always-connected computers. Agent-scanning works well for laptops and desktops without a reliable maintenance schedule.

Agent Types

There are 3 agent types:

  • CSI Host Agent – command-line agent that doesn’t interact with the user.
  • CSI Network Appliance Agent – proxy-style command-line agent that can be used to remotely scan its host and subnet(s).
  • PSI – adds a GUI-agent to the CSI that allows the user to install patches if they’re administrator.

The CSI Network Appliance Agent is what you’d install on a dedicated scanning server\VM. CSI Host Agent is great for laptops because it will upload scan results to the central server whenever it can. The PSI is a great compromise for power users who like to manage their own machines, and for IT who still want reporting and the ability to force patch compliance. PSI contains all the features of a CSI host agent (as far as I can tell).

Screenshots!

Here are a few screen shots of Secunia in action.

  • Secunia’s inventory of our network.

  • Secunia patch page, showing the right-click features.

  • The updates, as published to my SCCM Repo.

It’s a pretty cool program. Stay tuned for help installing the system.