Vulnerabilities / Threats

10/18/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Oracle Fixes 20 Remotely Exploitable Java SE Vulns

Quarterly update for October is the smallest of the year: only 252 flaws to fix! Oracle advises to apply patches 'without delay.'

Oracle this week urged administrators to apply security patches to their systems more quickly even as it increased their burden with a set of fresh fixes for another 252 vulnerabilities across products including Oracle Database Server and Java SE.

Tuesday's critical patch update (CPU) is Oracle's first since news of the Equifax breach and of serious vulnerabilities in the widely used WPA2 WiFi security protocol, and separately, in numerous products featuring a particular crypto chipset from Infineon.

In its patch availability announcement, Oracle did not specifically call out these incidents as heightening the urgency for organizations to apply its CPU's more promptly. Instead as it usually does, Oracle more generally cautioned customers about periodic reports it receives about intruders successfully breaking into organizations by exploiting vulnerabilities for which the company has already issued patches.

"Oracle therefore strongly recommends that customers remain on actively supported versions and apply Critical Patch Update fixes without delay," the company noted.

Big as October's CPU is, it is actually smaller than Oracle's last one in July when the company announced fixes for 310 flaws and the one before in April that involved patches for 300 vulnerabilities.

Commenting on the security update, application security vendor Waratek said the CPU contains fixes for bugs in the Java Virtual Machine and five additional components in Oracle's Database Server. Two of the patched flaws are remotely exploitable without the need for any credentials.

Oracle's October CPU also patches 22 Java SE vulnerabilities, says Chris Goettl, product manager at Ivanti. "Twenty of these may be remotely exploited without requiring authentication," Goettl says.

"What this means is an attacker with a foothold in your environment just needs to be able to resolve a system with one of these vulnerabilities exposed and they would not even need to have a credential to exploit it."

Unlike Microsoft's monthly updates, Oracle releases its security patches once every three months. So the October update is the last one for this year. Up to now in 2017, Oracle has fixed a total of 79 vulnerabilities in Java SE or more than double the 37 it addressed last year, Waratek noted. The sharp increase suggests that Oracle is paying more attention to find flaws in Java SE. But it also underscores the growing risk that the Java platform poses for organizations, the vendor observed in its commentary.

“While smaller than recent CPUs, there are very important updates included in this critical patch such as patches that fix the serialization flaws," Waratek security architect Apostolos Giannakidis said in the guide. "This CPU is not backwards compatible for specific cryptographic classes. If security teams are not mindful, applying the CPU risks breaking the application."

James Lee, executive vice president and chief marketing officer at Waratek, says the key takeaway here is that patching quickly is vital. "The bad guys have been banging away since the CPU was released looking for the flaws that can be remotely exploited," he notes.

The Oracle CPU is an all-or-nothing patch, so an organization has to apply everything at once, he adds. Between configuration, coding and testing, it can take weeks or months for an organization to fully deploy such updates. "So these don't tend to be fast fixes," Lee says.

Patch teams are already under tremendous pressure dealing with new and previously released patches from Oracle, Microsoft, IBM and others while ensuring their organizations are protected against the Apache Struts vulnerability that felled Equifax. Patch teams also have their hands full ensuring their organizations are protected against the WPA2 flaw and the factorization bug in the Infineon chipset, Lee notes. "When you layer legacy software on top of that, the teams charged with keeping apps safe are overwhelmed with the task."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
CVE-2018-19355
PUBLISHED: 2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...