Bigger is not necessarily better, but it’s beginning to look like Oracle will release a monster Critical Patch Update (CPU) every quarter. These security updates affect databases, networking components, operating systems, applications server, Java, and ERP systems, leaving IT administrators to wrestle with the task of testing, verifying, and deploying several dozen patches in a timely manner.
The CPU is getting bigger — the average number of vulnerabilities patched in 2014 and 2015 was 128 and 161, respectively, compared to this year’s average of 228 vulnerabilities — but most of the focus remains on the company’s middleware products. Of the 253 security flaws fixed in the October Critical Patch Update (CPU), Oracle Database, MySQL, Java, Linux and virtualization products, and the Sun Systems suite accounted for only one-third of the patches. Oracle addressed 12 vulnerabilities in its core Oracle Database Server, 31 in the MySQL database, seven in Java SE, 13 in Oracle Linux and virtualization products, and 16 in the Sun Systems suite, which includes Solaris and Sparc Enterprise.
Several vulnerabilities are considered critical and could be remotely exploited without requiring authentication.
Database is important again
The last several updates from Oracle addressed few database flaws, but this latest CPU showed the flagship product a little bit of love. Oracle Database Server has nine new security fixes, of which only one was rated critical with a CVSS v3 base score of 9.1. However, that vulnerability in OJVM (CVE 2016-5555), which affects Oracle Database Server 220.127.116.11 and 18.104.22.168, cannot be remotely exploited over a network without requiring user credentials. In contrast, the six-year-old vulnerability in the Application Express component (CVE-2010-5312) has a CVSS v3 score of 6.1 but can be exploited over the network without authentication.
An issue with the DBA-level privileged accounts (CVE 2016-3562) applies to client-only installations and doesn’t need to have Oracle Database Server installed.
Two vulnerabilities in Oracle Secure Backup may be remotely exploitable without authentication, but were rated 5.8 on the CVSS v3 scale, making them of medium severity. The last security flaw, in Oracle Big Data Graph, is related to the Apache Commons Collections and is not remotely exploitable without authentication.
For Oracle MySQL, the most serious security flaws are in the Server:Security:Encryption component (CVE-2016-6304) and in the Python Connector (CVE-2016-5598) because they may be remotely exploited without authentication. Even so, Oracle did not consider these issues critical, assigning them CVSS v3 scores of 7.5 and 5.6, respectively. There were three fixes for the Encryption component and six for InnoDB.
Databases are typically not exposed to the internet, but administrators should plan on patching the vulnerabilities in MySQL Connector and Application Express as they are remotely exploitable and attackers can use them after compromising another system on the network.
Keep that Java patched
Administrators who support Java applications should pay close attention to the Java patches, as Oracle released seven important security updates that affect every version of Java Platforms 6, 7, and 8, and eight critical security updates for Oracle’s Java-powered WebLogic and GlassFish application platforms. Nearly all of the disclosed vulnerabilities are remotely exploitable without authentication, meaning any application running on the current or earlier versions of these Java products could be susceptible to remote attacks and exploitation.
Two of the Java Platform vulnerabilities affect the Java Management Extensions (JMXs) and Networking APIs built into the Java Platform. Critical Java applications are likely operating with these flawed APIs and should be prioritized for patching as quickly as possible.
“These two APIs are present and loaded in all but the most trivial Java applications,” said Waratek CTO John Matthew Holt.
The CVSS scores for the Java security flaws assume that the user running the Java applet or Java Web Start application has administrator privileges. This is a common user scenario in Windows, which is why the scores are so high. In environments where users do not have administrator privileges — a typical situation for Solaris and Linux users, and also for some Windows users — the impact scores drop significantly. A CVSS v3 base score of 9.6 for a Java SE flaw drops to 7.1 in those deployments, Oracle said in the advisory.
Java on Windows machines should have priority. This advisory also shows why it pays off for Windows administrators to not give higher privileges by default to their users.
“Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases,” Oracle said.
Even though Oracle WebLogic Server and Oracle Glassfish Server are grouped into Oracle Fusion Middleware, Holt highlighted the five vulnerabilities in WebLogic and two in GlassFish that are remotely exploitable over HTTP and HTTPS protocols without authentication. A successful exploit against critical business applications on Java-powered WebLogic and GlassFish applications could hijack the application stack and expose confidential application data.
Remote exploits over HTTP/HTTPS pose serious risks due to the “ubiquity of HTTP/HTTPS access to Java-powered applications,” Holt warned.
Fixes in for Oracle Linux and Sun Systems, too
Oracle also fixed 13 flaws in Oracle Virtualization, four of which are remotely exploitable without authentication. Eight flaws affected Oracle VM VirtualBox, and the most critical one, affecting the VirtualBox Remote Desktop Extension (CVE-2016-5605), applies to every single version of VirtualBox prior to 5.1.4.
Much like the database issues, the flaw in VirtualBox’s OpenSSL component (CVE-2016-6304) should be prioritized and patched immediately because attackers can use this flaw as they move laterally through the network.
On the operating system, Oracle fixed 16 vulnerabilities in the Oracle Sun Systems Products Suite, which includes Solaris and the Sun ZFS Storage Appliance Kit. The CVSS v3 scores range from 2.8 to 8.2, but three issues that can be exploited over a network without requiring user credentials are all of low severity. Even so, administrators should pay attention to the fixes for ZFS Storage appliance’s DNS, the IKE component in Solaris, and HTTP in Solaris because of the risk of a remote attack.
Set the priority list
Organizations prioritize patches differently. One with a lot of Java users on Windows would bump up the patches’ priority higher than one that’s a pure-Linux shop. Critical business applications on WebLogic will need some attention, as will those organizations that use VirtualBox throughout their virtualized infrastructure.
Researchers at ERPScan sorted the fixed vulnerabilities by their CVSS v3 scores and noted that the flaw in Oracle WebLogic Server (CVE-2016-5535), which affects versions 10.3.6.0, 22.214.171.124, 126.96.36.199 and 188.8.131.52, was third on the list. A successful attack can result in a takeover of Oracle WebLogic Server. The vulnerability in JavaSE’s Hotspot subcomponent (CVE-2016-5582) was fifth. While easily exploitable, a successful attack using this vulnerability would require human interaction from a person other than the attacker.
Oracle didn’t indicate whether any of these flaws have been exploited in the wild, but warned against skipping the patches in favor of workarounds. While it’s possible to reduce the risk of successful attack by blocking network protocols or removing certain privileges or access to certain packages, they do not correct the underlying problem.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company wrote in the advisory accompanying the CPU release.