Oracle issues critical patch update: 169 new security fixes
Oracle's quarterly critical patch update includes security updates and patches for 169 problems affecting products including Java, Fusion Middleware, Enterprise Manager and MySQL.
The California-based company's January 2015 Critical Patch Update includes 8 vulnerability fixes for Oracle Database, such as one severe issue given a CVSS Base Score of 9 -- as it allows a full compromise of the targeted server.
Additional Database vulnerabilities received high scores in Oracle's severity rating system -- and a number of flaws can be remotely exploited.
In total, 36 new fixes have been issued for Oracle Fusion Middleware products, and the most severe received a rating of 9.3. Two of the Oracle Fusion Middleware vulnerabilities fixed in this Critical Patch Update can result in a server takeover.
10 new fixes have been included for Oracle E-Business Suite, 6 for Oracle Supply Chain Suite, 7 for Oracle PeopleSoft Enterprise, one for Oracle JDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for Oracle iLearning.
This CPU also provided 29 fixes for the Oracle Sun Systems Products Suite, and the highest CVSS score reported for this set of vulnerabilities was 10. This particularly nasty flaw affects XCP Firmware versions prior to XCP 2232.
Java, naturally, appears on the list. The most severe vulnerabilities were high-hitters, gaining a score of 10. Out of 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations. However, considering how many critical updates in the past have predominantly focused on Java, this security fix rate is relatively low.
Oracle states:
"Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."
The full list of affected software is below:
Application security for Java provider Waratek CTO John Matthew Holt commented:
"Today's Oracle Critical Patch Update (CPU) contains four 'perfect-10' highest risk vulnerabilities in Java SE and is dominated by sandbox bypasses. Four out-of-every five identified CVEs in the CPU can be exploited for full or partial sandbox bypass.
It is a modern-day paradox that Java technology, which rocketed to prominence on the promise of its "secure sandbox" design, is vulnerable to 16 new sandbox bypasses. That represents one new Java sandbox bypass every 120 hours since the last CPU."
The executive also noted that threats associated with this update range include everything from reading and writing local data to complete "operating system takeover including arbitrary code execution." Naturally, complete system takeovers are the most severe threats, as this places a user's sensitive data at risk, allows an attacker to install malware, steal an identity or use a compromised system to infect others.
"Java's security record cannot be attributed to Oracle," Holt says. "Instead, it is a function of legacy flaws in Java's SecurityManager and Security Architecture. Oracle is doing an admirable job addressing Java vulnerabilities. However, until containerization and automatic runtime self-protection is incorporated in Java, its security record is unlikely to improve."
The next CPU date is 14 April 2015.
Read on: In the world of security
- Botnets in 2014: ZeuS surge, lax policies place Web users at risk
- FTC finalizes charges against Snapchat over user privacy
- Bluster, bravado and breaches: Today's 'terrorist' players in cybersecurity
- Hackers infiltrate White House network
- FireEye predictions for cybersecurity in 2015
- Analysis casts doubt on FBI claims over Tor website seizures
- High volume DDoS attacks rise in Q3 2014
- Apple iOS Masque flaw dangers: Communication app infiltration discovered
- UK hires hackers, convicts to defend corporate networks
- ZeuS variant strikes 150 banks worldwide