Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/17/2012
12:12 AM
50%
50%

3 Must-Fix Vulnerabilities Top Oracle CPU Patches

Two CVSS 10.0 and one 9.0 flaws top the charts on a Critical Patch Update list chock full of remotely exploitable vulnerabilities

Systems administrators on all IT fronts will have their hands busy patching Oracle vulnerabilities across the software giant's portfolio with the release this week of the company's quarterly Critical Patch Update. Security experts warn enterprises to pay particular attention to this last CPU of the year, which today took the wraps off over 100 fixes affecting 10 different product groups, with one or more vulnerabilities in each group open to remote exploitation without exploitation.

[Forgetting something? Don't get caught with your patch down. See 5 Systems Your Forgetting To Patch. ]

Of particular note among the fixed vulnerabilities named by Oracle were two flaws with a CVSS base score of 10.0, one for the Core RDBMS database product and one for Oracle Fusion Middleware's JRockit component, as well as another MySQL flaw with a CVSS score of 9.0. According to Oracle, the highly critical JRockit fix was actually part of a broader Java SE Critical Patch to address multiple vulnerabilities affecting the Java Runtime Environment, some of which security pundits expected to address zero-day vulnerabilities disclosed by Security Explorations last month.

"Many were anticipating Oracle would patch Java Runtime Environment (JRE), which they did with Java Runtime Environment Version 7 Update 9 and Version 6 Update 37," says Marcus Carey, security Researcher for Rapid7. "I advise everyone who needs Java to update as soon as possible."

According to Wolfgang Kandek, CTO of Qualys, Java is a frequently neglected piece of software within many enterprise patch processes, an opportunity many hackers have not failed to take advantage of.

"In our research into the vulnerability update cycle, we frequently see Java as being one of the slowest moving applications to be updated, frequently many update cycles behind in patching," Kandek says. "Attackers have adapted to this reality, and many modern exploits go first for a Java based attack, as they know that existing, well-known vulnerabilities can be exploited reliably."

Meanwhile, on the database front, the biggest vulnerability out of the five named within the Core RDBMS product group was a flaw disclosed by Application Security, Inc. researchers in 2010 around the way that Oracle 11 g handled its log-in protocol.

"We're calling it stealth password cracking and it's a vulnerability in the log-in protocol introduced when they released 11g," says Josh Shaul, CTO of Application Security, explaining the flaw allowed for attackers to guess passwords based on information sent to the client by the database.

According to Shaul, Oracle had previously intimated to Application Security that it wasn't going release a CPU update for the flaw, which led to the database security company planning a meticulous public disclosure of the flaw to its customer base and the public at large. Oracle changed course on its decision, which led to Application Security only partially disclosing vulnerability details at a conference in Argentina last month and delaying more detailed disclosure information until after the CPU was released.

"Oracle really struggled with this one because it is a protocol-level issue, which meant that it impacts not just the database but all the clients," he says. "What Oracle explained to us what they were going to do in the CPU was just turn off the Oracle log-in protocol--basically downgrading everyone."

While this reverts back to a lack of case sensitivity in Oracle authentication, that's better than a vulnerability in the environment, Shaul says.

While its CVSS rating was slightly lower, the other major database vulnerability in MySQL deserves equal scrutiny from users, warns Carey.

"That one frightens me more than any of them," he says.

The reason being that according to recent Rapid7 research, half of MySQL deployment instances don't use host based access control. And with so many content management systems like Wordpress using MySQL out on the internet, there is an opportunity for a huge malware outbreak if attackers leverage severe vulnerabilities with scores of 9 or 10 that have lots of potential for remote exploit.

"I fear there could be a major outbreak of MySQL being exploited on massive scale and since so many content management systems use it you could actually find attackers inserting malicious content into the database to have that render and exploit a lot of people," he says.

Beyond those extremely severe vulnerabilities pointed out by the experts, there are dozens more that hold plenty of potential for problems if they aren't addressed in a timely fashion. According to Chris Eng, vice president of research for Veracode, as organizations prioritize it will pay to specifically survey the risks to the install base within their environments and the data processed by those applications.

"If you have really severe issues in data document management server but you're only using that for not very important documents then it may not be that important that you patch that right away," he says. "Maybe you have some cross-site-scripting vulnerabilities in an Oracle product you have deployed that's public-facing. In that case that's going to be more important to patch sooner, even if the severity is lower, because it's public-facing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.