Oracle’s priorities have clearly shifted away from Java and its database products, as the bulk of fixes are for its middleware and e-commerce applications
Oracle released its quarterly CPU (Critical Patch Update), addressing a whopping 276 vulnerabilities across 84 products, an all-time high for Oracle. The vast majority of the fixes are in Oracle’s Fusion Middleware and other applications. Oracle Database, ostensibly the company’s flagship product, continues to get less and less attention from the security team.
The CPU fixed 39 vulnerabilities in Fusion Middleware; 34 in the Sun Systems suite, which includes Solaris and SPARC Enterprise; and 27 in Supply Chain. MySQL, which Oracle acquired as part of its Sun deal, received 22 fixes, while only nine fixes were released Oracle Database Server. Java, which continues to be a favorite target for web-based attacks, received 13 fixes. The CPU addressed only four security flaws in Oracle Linux and virtualization products.
Java gets particular attention in this update, with fixes for four critical vulnerabilities. More than half of the Java vulnerabilities addressed in this CPU are remotely exploitable over a network.
“Customers really need to apply these Java CPU patches as soon as possible, as several high-CVSS vulnerabilities in the HotSpot JVM internals are being patched,” said Waratek CTO John Matthew Holt.
An “easily exploitable vulnerability” in Java SE 8u92 in the HotsSpot JVM (CVE-2016-3587) allows an unauthenticated attacker with network access via multiple protocols to compromise Java. The vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code, Oracle said in its advisory. The vulnerability does not affect Java deployments that load and run only trusted code. The CVSS v3 base score is 9.6. A similar “easily exploitable vulnerability” in HotSpot (CVE-2016-3606) affecting Java SE 7u101 and 8u92 also received a CVSS v3 base score of 9.6.
These vulnerabilities were likely related to Java features introduced in versions Java SE 7 and above that support the “invokedynamic” feature that enables dynamic code execution and scripting, Holt said.
Organizations unable to immediately apply the patches should consider virtual patching to “provide immediate, interim security controls,” Holt said. Application technologies like Runtime Application Self-Protection that provide virtual patching capabilities give organizations an alternative if they can’t take servers offline for immediate patching.