INFOWORLD TECH WATCH | By Fahmida Y. Rashid
Oracle’s Critical Patch Updates keep getting bigger. The database giant addressed a number of remotely exploitable flaws in Java, MySQL, and Oracle Database this quarter
Bigger is not necessarily better, but it’s beginning to look like Oracle will release a monster Critical Patch Update (CPU) every quarter. These security updates affect databases, networking components, operating systems, applications server, Java, and ERP systems, leaving IT administrators to wrestle with the task of testing, verifying, and deploying several dozen patches in a timely manner.
The CPU is getting bigger — the average number of vulnerabilities patched in 2014 and 2015 was 128 and 161, respectively, compared to this year’s average of 228 vulnerabilities — but most of the focus remains on the company’s middleware products. Of the 253 security flaws fixed in the October Critical Patch Update (CPU), Oracle Database, MySQL, Java, Linux and virtualization products, and the Sun Systems suite accounted for only one-third of the patches. Oracle addressed 12 vulnerabilities in its core Oracle Database Server, 31 in the MySQL database, seven in Java SE, 13 in Oracle Linux and virtualization products, and 16 in the Sun Systems suite, which includes Solaris and Sparc Enterprise.
Keep that Java patched
Administrators who support Java applications should pay close attention to the Java patches, as Oracle released seven important security updates that affect every version of Java Platforms 6, 7, and 8, and eight critical security updates for Oracle’s Java-powered WebLogic and GlassFish application platforms. Nearly all of the disclosed vulnerabilities are remotely exploitable without authentication, meaning any application running on the current or earlier versions of these Java products could be susceptible to remote attacks and exploitation.
Two of the Java Platform vulnerabilities affect the Java Management Extensions (JMXs) and Networking APIs built into the Java Platform. Critical Java applications are likely operating with these flawed APIs and should be prioritized for patching as quickly as possible.
“These two APIs are present and loaded in all but the most trivial Java applications,” said Waratek CTO John Matthew Holt.
The CVSS scores for the Java security flaws assume that the user running the Java applet or Java Web Start application has administrator privileges. This is a common user scenario in Windows, which is why the scores are so high. In environments where users do not have administrator privileges — a typical situation for Solaris and Linux users, and also for some Windows users — the impact scores drop significantly. A CVSS v3 base score of 9.6 for a Java SE flaw drops to 7.1 in those deployments, Oracle said in the advisory.
Java on Windows machines should have priority. This advisory also shows why it pays off for Windows administrators to not give higher privileges by default to their users.
“Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases,” Oracle said.
Even though Oracle WebLogic Server and Oracle Glassfish Server are grouped into Oracle Fusion Middleware, Holt highlighted the five vulnerabilities in WebLogic and two in GlassFish that are remotely exploitable over HTTP and HTTPS protocols without authentication. A successful exploit against critical business applications on Java-powered WebLogic and GlassFish applications could hijack the application stack and expose confidential application data.
Remote exploits over HTTP/HTTPS pose serious risks due to the “ubiquity of HTTP/HTTPS access to Java-powered applications,” Holt warned.