Since 2005, Oracle has released a collection of security fixes for their products on every Tuesday closest to the 17th day of January, April, July, and October. These fixes, known as a Critical Patch Update (CPU), are typically cumulative and address security vulnerabilities associated with Oracle products. April’s update, with fixes for 299 vulnerabilities across Oracle’s, was its largest CPU to date.
Via Oracle: “A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes.”
Oracle, the database and cloud computing giant, sees its software used for vital operations by most of the Fortune 500. Their Java-based open source software is used in mission-critical environments across the globe and on more than 15 billion devices.
April’s CPU contained patches for core components of Java products, many of them linked to commonly used third-party software that is standard among large financial services firms, healthcare providers, and transportation companies. These sectors are constantly under attack from malicious hackers, making it all the more important to apply the most recent security patches as soon possible – a task that can take even the most sophisticated organization months or longer to complete.
For organizations that need to constantly monitor and eventually update software, time is of the essence. The same can be said of the cyber criminals looking to exploit faults in the system. Some organizations move faster than others in applying the patches (for many reasons) and hackers can use this window of time to consult Oracle’s public CPU, using it as a roadmap to attack firms.
You don’t have to be a news junkie to be cognizant of the ever-present threat of cyber attacks and the necessity for vigilant security. Cyber attacks are on the uptick and cybersecurity teams are struggling to keep up by remedying software flaws and responding to potential threats.
With the latest Oracle patch release, we have one of the largest software vendors in the world, with expert security resources and dedicated testing and remediation teams, belatedly discovering and responding to the presence of major, known-vulnerable components buried deep in the software stacks of their core software platforms.
To put things in perspective, Oracle finds a new flaw in their products every 100 hours. Some of the flaws included in the most recent CPU date back to 2012. (To be fair, every software developer releases the equivalent of the Oracle CPU, but Oracle’s market share makes it the bellwether of the entire industry.)
That’s five years of an open, unpatched vulnerability. Among the others are over 30 Java-related Common Vulnerabilities and Exposures (CVEs), eight of which directly affect the core Java platform. Nearly 70 percent of the Java-related CVEs are remotely exploitable without authentication.
Addressing years-old vulnerabilities in current patches is proof that we are nearing a crisis point where our ability to respond in a timely and effective manner is at risk. We continue to rely primarily on traditional approaches that can’t keep up with the pace and volume of vulnerabilities. That is not a sustainable model.