The Oracle April 2017 critical patch update shows the problems with software composition are increasing and must soon be addressed.
The April 2017 Oracle Critical Patch Update contains more than 30 Java-related CVEs, including:
- Eight (8) CVEs directly effect the core Java Platform
- Nearly 70% of the Java-related CVEs, including 87% of the Java Platform CVEs, are remotely exploitable without authentication
- Belated remediation for more than one dozen high-profile software composition vulnerabilities which, in some cases, date back as far as 5 years
- Included in these belated remediations are the “celebrity superstar” vulnerabilties Apache Struts v1 and v2 as well as Apache Commons
- Users should not just rely on the installation of this CPU to mitigate all the identified vulnerabilities. In some cases, manual profiling and extra configuration is required.
Commentary: John Matthew Holt, Waratek CTO
With the latest Oracle patch release, we have one of the largest software vendors in the world, with expert security resources and dedicated testing and remediation teams, belatedly discovering and responding to the presence of major, known-vulnerable components buried deep in the software stacks of their core software platforms.
The April CPU shows the scale of the challenge that the information technology industry as a whole faces in securing modern modular enterprise applications which are composed of dozens or sometimes hundreds of third-party libraries and modules. If a best-of-breed software vendor like Oracle struggles to account for and secure their third-party library dependencies in a major software platform like Oracle Fusion, then how can an “ordinary” enterprise, which is not a sophisticated IT vendor, be expected to do any better?
The pace of the discovery of software composition vulnerabilities is accelerating quarter-by-quarter, and year-by-year. As a result, the IT industry faces an impending crisis point if it does not rapidly begin adopting and embracing automated remediation solutions to detect and protect software composition vulnerabilities at runtime in any application, at any layer of the software stack, without human intervention or manual testing.
Waratek already protects against a number of the vulnerabilities included in the Oracle patch, such as the Apache Struts 1, 2 and Commons CVEs.
Waratek customers should apply the virtual patches provided by Waratek that address the remaining appropriate April CPU vulnerabilities to receive immediate protection without restarting their applications.
Non-customers should apply the appropriate binary patches as quickly as possible as nearly 3/4ths of the CVEs addressed in the April 2017 CPU can be remotely exploited without credentials.
However, installing the new CPU may not be enough. Manual profiling and configuration is also required in some cases. For example, the fix for CVE-2017-3509 requires users to:
- Install the new CPU
- Profile their applications and environments to determine if caching for HTTP NTLM connections is required
- Change the JVM launcher system properties and set the new `jdk.ntlm.cache` property to false.
This change must be done with caution because disabling NTLM connection caching could cause severe performance and usability side effects in some cases.
The sheer number of software vulnerabilities and the ubiquitous nature of software flaws simply mean that the protective measures we’ve relied on for decades are now unable to provide the level of protection required. Automated runtime application security solutions are the only way that end-users – even the most sophisticated ones – will ever be able to get ahead of the crashing vulnerability wave.
John Matthew Holt is the Founder and Chief Technology Officer of Waratek. The inventive inspiration and technical driving force behind Waratek’s groundbreaking research and development into distributed computing and virtualization technologies, he holds more than 60 patents.
As CTO, John Matthew leads a multinational team of expert computer engineers on a journey that has resulted in the creation of a disruptive new approach to web security that allows organisations to protect their Java applications and data from SQL Injection, targeted attacks and unpatched vulnerabilities at runtime, without making any code changes or deploying any hardware.