Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/17/2012
12:12 AM
50%
50%

3 Must-Fix Vulnerabilities Top Oracle CPU Patches

Two CVSS 10.0 and one 9.0 flaws top the charts on a Critical Patch Update list chock full of remotely exploitable vulnerabilities

Systems administrators on all IT fronts will have their hands busy patching Oracle vulnerabilities across the software giant's portfolio with the release this week of the company's quarterly Critical Patch Update. Security experts warn enterprises to pay particular attention to this last CPU of the year, which today took the wraps off over 100 fixes affecting 10 different product groups, with one or more vulnerabilities in each group open to remote exploitation without exploitation.

[Forgetting something? Don't get caught with your patch down. See 5 Systems Your Forgetting To Patch. ]

Of particular note among the fixed vulnerabilities named by Oracle were two flaws with a CVSS base score of 10.0, one for the Core RDBMS database product and one for Oracle Fusion Middleware's JRockit component, as well as another MySQL flaw with a CVSS score of 9.0. According to Oracle, the highly critical JRockit fix was actually part of a broader Java SE Critical Patch to address multiple vulnerabilities affecting the Java Runtime Environment, some of which security pundits expected to address zero-day vulnerabilities disclosed by Security Explorations last month.

"Many were anticipating Oracle would patch Java Runtime Environment (JRE), which they did with Java Runtime Environment Version 7 Update 9 and Version 6 Update 37," says Marcus Carey, security Researcher for Rapid7. "I advise everyone who needs Java to update as soon as possible."

According to Wolfgang Kandek, CTO of Qualys, Java is a frequently neglected piece of software within many enterprise patch processes, an opportunity many hackers have not failed to take advantage of.

"In our research into the vulnerability update cycle, we frequently see Java as being one of the slowest moving applications to be updated, frequently many update cycles behind in patching," Kandek says. "Attackers have adapted to this reality, and many modern exploits go first for a Java based attack, as they know that existing, well-known vulnerabilities can be exploited reliably."

Meanwhile, on the database front, the biggest vulnerability out of the five named within the Core RDBMS product group was a flaw disclosed by Application Security, Inc. researchers in 2010 around the way that Oracle 11 g handled its log-in protocol.

"We're calling it stealth password cracking and it's a vulnerability in the log-in protocol introduced when they released 11g," says Josh Shaul, CTO of Application Security, explaining the flaw allowed for attackers to guess passwords based on information sent to the client by the database.

According to Shaul, Oracle had previously intimated to Application Security that it wasn't going release a CPU update for the flaw, which led to the database security company planning a meticulous public disclosure of the flaw to its customer base and the public at large. Oracle changed course on its decision, which led to Application Security only partially disclosing vulnerability details at a conference in Argentina last month and delaying more detailed disclosure information until after the CPU was released.

"Oracle really struggled with this one because it is a protocol-level issue, which meant that it impacts not just the database but all the clients," he says. "What Oracle explained to us what they were going to do in the CPU was just turn off the Oracle log-in protocol--basically downgrading everyone."

While this reverts back to a lack of case sensitivity in Oracle authentication, that's better than a vulnerability in the environment, Shaul says.

While its CVSS rating was slightly lower, the other major database vulnerability in MySQL deserves equal scrutiny from users, warns Carey.

"That one frightens me more than any of them," he says.

The reason being that according to recent Rapid7 research, half of MySQL deployment instances don't use host based access control. And with so many content management systems like Wordpress using MySQL out on the internet, there is an opportunity for a huge malware outbreak if attackers leverage severe vulnerabilities with scores of 9 or 10 that have lots of potential for remote exploit.

"I fear there could be a major outbreak of MySQL being exploited on massive scale and since so many content management systems use it you could actually find attackers inserting malicious content into the database to have that render and exploit a lot of people," he says.

Beyond those extremely severe vulnerabilities pointed out by the experts, there are dozens more that hold plenty of potential for problems if they aren't addressed in a timely fashion. According to Chris Eng, vice president of research for Veracode, as organizations prioritize it will pay to specifically survey the risks to the install base within their environments and the data processed by those applications.

"If you have really severe issues in data document management server but you're only using that for not very important documents then it may not be that important that you patch that right away," he says. "Maybe you have some cross-site-scripting vulnerabilities in an Oracle product you have deployed that's public-facing. In that case that's going to be more important to patch sooner, even if the severity is lower, because it's public-facing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...