There are loads of vulnerabilities reported for most of the versions of Java. JRE7 Update 11 is badly affected. Java vulnerabilities are also contained in prior versions of Java. More details available here. Web browsers using any of these Java plug-ins are at high risk. Oracle (Java) agrees on the fact that, by leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. More details about vulnerability here.
As you know, most of organizations are using Java plugins. The machines which are installed with Java plug are vulnerable. How to tackle these vulnerabilities? It’s simple as Keep the Java version updated. As you know, we can’t directly deploy Java updates through WSUS or ConfigMgr. Even with SCUP, you need to do loads of development tasks to deploy Java updates. In this scenario, SolarWinds Patch management software is very helpful, with in few minutes you can download required Java update, and import and deploy it to the managed devices.
SolarWinds Patch manager is capable of performing automatic patching of 3rd party applications other than Java. The SolarWinds patch Manager can update other 3rd party applications like Adobe, Apple, Dell, Google, HP, Microsoft, Mozilla, Opera, SolarWinds, Sun and Win zip. If you want to see where you’ll get these details of all the supported vendors then the best place is ConfigMgr console (after the integration, you will be able to see 3rd Party Updates plug-in).
Solarwinds Patch manager uses native windows update client to deploy and install these 3rd party application patches on to workstations. There is NO need to install separate client on workstations so it basically uses an agentless architecture. So there is no overhead of installing and managing some extra client software. SolarWinds Patch Manager provide key capabilities to enhance WSUS SCCM and general management experience by including enhanced command and controls, TCP/IP discovery, advanced inventory and reporting on desktops and servers.
In this post, I’ll try to explain 8 simple steps, you need to follow to keep your Java plugin updated. Again, you don’t need spend hours and hours to edit or modify the Java update by creating pre requisites rules and finding out the proper command lines. All readily available to use if you install or publish it via Solarwinds Patch Manager. It’s an awesome tool. This post basically guides you to select your product and download the content, import it, publish it, Approve the updates, deploy it to client and then check the reports.
I’m not going to cover installation and configuration of SolarWinds Patch Manager in this post. If you would like to know more details about installation and configuration then you can refer another post “How to Install and Configure SolarWinds Patch Manager“.
Step to Tackle Java Vulnerabilities with SolarWinds Patch Manager
1. You can download the Patch Manager from here. After installation, configuration and first sync, you’ll see the below screen Capture (in my case I’ve selected only Sun Java products for the update that is why you can see only Java in my console).
2. Right click on any of the update that you want to deploy and select download content. The package Download Assistance wizard will pop up and that will help you to download the content from Oracle Java Website. At the bottom side, you can see the link of the vendor site. Click on that link to download the package and then click on Import option (on the top of the screen to import the Java Update Source to the patch manager). Note : check the STATUS it says Not Downloaded in the following pic.
3. I’ve downloaded the Java update from Oracle Java site and clicked on IMPORT SOURCE button to import the source. Once it’s imported successfully, the package Download Assistant will show the STATUS to COMPLETED !! So we are almost done with update deployment. Isn’t it awesome?
4. What we did is just downloaded the Sun Java package content and imported the Java Update content to SolarWinds Patch Manager. Look at the thing the SolarWinds Patch Manager did automatically in the background to getting Java update ready for deployment.
To get more details about the configurations done in the background. Right click on the update and select EDIT. You can see, it created all the details like criticality of the patch, Patch Classification, Reboot Behavior and Support URL etc. Most important and very useful point here is, we can still edit these information. It’s NOT in read only format. Wow great !!
5. More and More useful info available if you click NEXT on the above wizard. Command Line, Reboot Codes, Package name and Download URL, Prerequisites rules and Installed rules are there in this wizard. All these options are editable. So you can change according to your organization.
Command line populated in my case was “/s “JAVAUPDATE=0 AgreeToLicense=YES””
6. The last step is to right click on the Java Update and Publish to WSUS. Once published successfully, we can deploy Java package to the managed machines/devices.
7. Once the update is published then you’ve APPROVE the updates which want to deploy. Once approved, you can deploy this update to the client systems using “Update Management“. This update management will help to deploy updates to client. The main, I would say CORE part of this update deployment is Package Boot which works in tandem with Update management.
SolarWinds Patch Manager’s Package Boot is core and very useful while deploying 3rd patches to managed machines. Look at the stuffs it’s capable to perform. Before applying the update, it can stop the Java services , terminate the iexplore.exe, terminate the locked files etc. All these will be helpful to get good success rate in the deployment. This is one of the advantage of using SolarWinds Patch Manager for 3rd patching rather than using SCUP and struggling to get good success rate.
8. At last, Solarwinds patch manager provides out of box reports to enrich the capability of reporting. In depth reports are also available with in SolarWinds Reporting Console, this will help to troubleshooting in case of any failures. Even, you can see that this product shows us “almost” real time progress of the deployment (whether the server is able to establish WMI connection, downloaded the updates or started the installation or not etc).
Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…