Oracle issued a gargantuan quarterly patch update this week, fixing a whopping 248 vulnerabilities across its product portfolio. Despite its size, Oracle Database, MySQL, and Java accounted for just a third of the fixes in the January Critical Patch Update.
The January CPU addressed seven vulnerabilities in the Oracle Database Server, three for the Oracle GoldenGate component, eight in Oracle Java SE, and 22 in Oracle MySQL. The update also closed nine issues in Oracle Virtualization and 23 in Oracle Sun Systems Product Suite, which includes Solaris. As has been the case with previous CPUs, the lion's share of the fixes focused on Enterprise applications including Oracle EBS, Oracle Fusion Middlware, and Oracle PeopleSoft. All four patches with Common Vulnerability Scoring Standard scores of 8.0 or higher were for Java and Oracle Database.
Along with the January CPU, Oracle also released Patch Set Updates (PSUs) for the Weblogic Apache Common vulnerability. Oracle had already released an out-of-band security patch for Weblogic in Novemer to address the deserialization vulnerability in Apache Commons library. PSUs are cumulative patches that include both the security fixes and priority fixes.
Database fixes for all
Oracle closed security holes in Oracle Database Server versions 184.108.40.206, 220.127.116.11, and 18.104.22.168. None of the vulnerabilities could be exploited remotely without authentication, but the issue in the Java VM component (CVE-2016-0499) had a CVSS score of 9.0. An attacker would be able to take full control over the database server via this bug if the targeted system was a Windows machine running a Database version older than 12c. For database servers running on Linux, Unix and other platforms, as well as Database 12c on Windows, the CVSS score drops to 6.5 and the likelihood of someone getting full control over the server is lessened, according to the advisory.
The updates affect the following components: Java VM, Workspace Manager, XDB-XML Database, Database Vault, Security, and XML Developers' Kit for C.
Of the 22 flaws in MySQL, only one, in the client application, can be exploited remotely without authentication. The CVSS score is 7.2 only if the mysql client is run locally with admin or root privileges. On systems where the mysql client is given restricted privileges, as is considered best practice, the CVSS score drops to 4.6.
The update affected MySQL versions 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9.
Low number of Java updates
It's possible the January CPU closed a rather low number of vulnerabilities in Java because Oracle is deemphasizing Java. More likely, Oracle feels comfortable shifting its bug-fixing efforts elsewhere because Java is not as unstable or under siege as it used to be. Over the past year Oracle has focused on making Java more secure, such as making applets harder to exploit by enabling them selectively through Deployment Rulesets. Some browsers whitelisted Java as click-to-play, and Microsoft added Java to its EMET tool, resulting in a "more stable environment for Java," said Wolfgang Kandek, CTO of Qualys. "We have not heard of its use in any of the main attack campaigns."
However, three of the eight vulnerabilities were rated as critical, with CVSS scores of 10.0. The severity assumes that the user running a Java applet or Java Web Start application has administrator privileges, which is a typical scenario on Windows systems. The CVSS score drops to 7.5 if the user does not have administrator privileges, a scenario more commonly found on Solaris and Linux systems.
Two of the critical flaws, in Java's 2D component (CVE-2016-0494) and in Java's AWT (CVE-2015-8126), can only be exploited through sandboxed Java Web Start applications and Java applets. The other AWT bug (CVE-2016-0483) also applies to server-side Java deployments. Attackers can potentially exploit the bug by supplying data through a Web service, "and should be looked at by your server team," Kandek said.
Oracle "strongly recommends" that customers remain on actively supported versions and apply Critical Patch Update fixes without delay. Of the 16 updates addressing issues in Solaris 11, four could be exploited remotely without authentication. Also worrying, eight of them could result in an attacker gaining complete control over the system. Unsupported Solaris 11.x versions should be upgraded to a supported release or patch set.
None of the vulnerabilities appear to be under active exploitation, but that doesn't mean administrators can take their time with patching. Attackers frequently target vulnerabilities even after patches have been released because they know everyone doesn't patch promptly.