Vulnerabilities / Threats

10/18/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Oracle Fixes 20 Remotely Exploitable Java SE Vulns

Quarterly update for October is the smallest of the year: only 252 flaws to fix! Oracle advises to apply patches 'without delay.'

Oracle this week urged administrators to apply security patches to their systems more quickly even as it increased their burden with a set of fresh fixes for another 252 vulnerabilities across products including Oracle Database Server and Java SE.

Tuesday's critical patch update (CPU) is Oracle's first since news of the Equifax breach and of serious vulnerabilities in the widely used WPA2 WiFi security protocol, and separately, in numerous products featuring a particular crypto chipset from Infineon.

In its patch availability announcement, Oracle did not specifically call out these incidents as heightening the urgency for organizations to apply its CPU's more promptly. Instead as it usually does, Oracle more generally cautioned customers about periodic reports it receives about intruders successfully breaking into organizations by exploiting vulnerabilities for which the company has already issued patches.

"Oracle therefore strongly recommends that customers remain on actively supported versions and apply Critical Patch Update fixes without delay," the company noted.

Big as October's CPU is, it is actually smaller than Oracle's last one in July when the company announced fixes for 310 flaws and the one before in April that involved patches for 300 vulnerabilities.

Commenting on the security update, application security vendor Waratek said the CPU contains fixes for bugs in the Java Virtual Machine and five additional components in Oracle's Database Server. Two of the patched flaws are remotely exploitable without the need for any credentials.

Oracle's October CPU also patches 22 Java SE vulnerabilities, says Chris Goettl, product manager at Ivanti. "Twenty of these may be remotely exploited without requiring authentication," Goettl says.

"What this means is an attacker with a foothold in your environment just needs to be able to resolve a system with one of these vulnerabilities exposed and they would not even need to have a credential to exploit it."

Unlike Microsoft's monthly updates, Oracle releases its security patches once every three months. So the October update is the last one for this year. Up to now in 2017, Oracle has fixed a total of 79 vulnerabilities in Java SE or more than double the 37 it addressed last year, Waratek noted. The sharp increase suggests that Oracle is paying more attention to find flaws in Java SE. But it also underscores the growing risk that the Java platform poses for organizations, the vendor observed in its commentary.

“While smaller than recent CPUs, there are very important updates included in this critical patch such as patches that fix the serialization flaws," Waratek security architect Apostolos Giannakidis said in the guide. "This CPU is not backwards compatible for specific cryptographic classes. If security teams are not mindful, applying the CPU risks breaking the application."

James Lee, executive vice president and chief marketing officer at Waratek, says the key takeaway here is that patching quickly is vital. "The bad guys have been banging away since the CPU was released looking for the flaws that can be remotely exploited," he notes.

The Oracle CPU is an all-or-nothing patch, so an organization has to apply everything at once, he adds. Between configuration, coding and testing, it can take weeks or months for an organization to fully deploy such updates. "So these don't tend to be fast fixes," Lee says.

Patch teams are already under tremendous pressure dealing with new and previously released patches from Oracle, Microsoft, IBM and others while ensuring their organizations are protected against the Apache Struts vulnerability that felled Equifax. Patch teams also have their hands full ensuring their organizations are protected against the WPA2 flaw and the factorization bug in the Infineon chipset, Lee notes. "When you layer legacy software on top of that, the teams charged with keeping apps safe are overwhelmed with the task."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...