Vulnerabilities / Threats

10/18/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Oracle Fixes 20 Remotely Exploitable Java SE Vulns

Quarterly update for October is the smallest of the year: only 252 flaws to fix! Oracle advises to apply patches 'without delay.'

Oracle this week urged administrators to apply security patches to their systems more quickly even as it increased their burden with a set of fresh fixes for another 252 vulnerabilities across products including Oracle Database Server and Java SE.

Tuesday's critical patch update (CPU) is Oracle's first since news of the Equifax breach and of serious vulnerabilities in the widely used WPA2 WiFi security protocol, and separately, in numerous products featuring a particular crypto chipset from Infineon.

In its patch availability announcement, Oracle did not specifically call out these incidents as heightening the urgency for organizations to apply its CPU's more promptly. Instead as it usually does, Oracle more generally cautioned customers about periodic reports it receives about intruders successfully breaking into organizations by exploiting vulnerabilities for which the company has already issued patches.

"Oracle therefore strongly recommends that customers remain on actively supported versions and apply Critical Patch Update fixes without delay," the company noted.

Big as October's CPU is, it is actually smaller than Oracle's last one in July when the company announced fixes for 310 flaws and the one before in April that involved patches for 300 vulnerabilities.

Commenting on the security update, application security vendor Waratek said the CPU contains fixes for bugs in the Java Virtual Machine and five additional components in Oracle's Database Server. Two of the patched flaws are remotely exploitable without the need for any credentials.

Oracle's October CPU also patches 22 Java SE vulnerabilities, says Chris Goettl, product manager at Ivanti. "Twenty of these may be remotely exploited without requiring authentication," Goettl says.

"What this means is an attacker with a foothold in your environment just needs to be able to resolve a system with one of these vulnerabilities exposed and they would not even need to have a credential to exploit it."

Unlike Microsoft's monthly updates, Oracle releases its security patches once every three months. So the October update is the last one for this year. Up to now in 2017, Oracle has fixed a total of 79 vulnerabilities in Java SE or more than double the 37 it addressed last year, Waratek noted. The sharp increase suggests that Oracle is paying more attention to find flaws in Java SE. But it also underscores the growing risk that the Java platform poses for organizations, the vendor observed in its commentary.

“While smaller than recent CPUs, there are very important updates included in this critical patch such as patches that fix the serialization flaws," Waratek security architect Apostolos Giannakidis said in the guide. "This CPU is not backwards compatible for specific cryptographic classes. If security teams are not mindful, applying the CPU risks breaking the application."

James Lee, executive vice president and chief marketing officer at Waratek, says the key takeaway here is that patching quickly is vital. "The bad guys have been banging away since the CPU was released looking for the flaws that can be remotely exploited," he notes.

The Oracle CPU is an all-or-nothing patch, so an organization has to apply everything at once, he adds. Between configuration, coding and testing, it can take weeks or months for an organization to fully deploy such updates. "So these don't tend to be fast fixes," Lee says.

Patch teams are already under tremendous pressure dealing with new and previously released patches from Oracle, Microsoft, IBM and others while ensuring their organizations are protected against the Apache Struts vulnerability that felled Equifax. Patch teams also have their hands full ensuring their organizations are protected against the WPA2 flaw and the factorization bug in the Infineon chipset, Lee notes. "When you layer legacy software on top of that, the teams charged with keeping apps safe are overwhelmed with the task."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.