Oracle Update Adds Java and Patches 120 Flaws

Oracle has released its Critical Patch Update for October 2013, incorporating, for the first time, Java
Oracle has released its Critical Patch Update for October 2013, incorporating, for the first time, Java

The Java portion of the update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication. The new version is Java 7 update 45.

“[Java] should be on the top of your patch list,” said Wolfgang Kandek, CTO, Qualys, in an emailed comment. “The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830.”

Java 6 is also vulnerable to 11 of the 12 highly critical vulnerabilities, but there are no more public patches for Java 6. “The recommended action for Java 6 here is to upgrade to Java 7 if possible,” Kandek said. “If you cannot upgrade, I would recommend to isolate the machine that needs Java 6 running and not use it for any other activities that connect it to the internet, such as email and browsing.”

The other 76 addressed flaws mostly allow for remote unauthenticated access for the attacker and are critical as well, particularly on applications that are exposed to the internet. For instance, Oracle’s RDBMS has four updates this quarter, all being remotely exploitable. The XML parser vulnerability has the highest CVSS score of 6 (on a scale of 10). One mitigating factor is that Oracle databases are typically not exposed the internet.

Oracle’s MySQL database has eight new vulnerabilities addressed, with the highest score at 8.5 in the MySQL Monitoring component. All vulnerabilities that can be accessed through the network require authentication, though, including two that are remotely accessible and have a CVSS score of 6.8.

“MySQL is often found exposed to the Internet, even though this is not considered best practice,” Kandek said. “If you use MySQL in your organization, it makes sense to run a perimeter scan to collect information on all databases externally exposed.”

The Sun product family has 12 updates, with a high score of 6.9 in a SPARC server management module (ILOM).

“Usually access to these modules should be tightly controlled as they provide very powerful management functions such as power-on/off, etc., but we have seen just recently some research that shows that these interfaces often end up on the Internet,” he noted. “If you have Sun Solaris servers in your organization, review these patches and start with the machines on your perimeter and DMZ.”

Oracle’s Fusion Middleware has a total of 17 vulnerabilities, of which 12 are accessible remotely with a maximum CVSS score of 7.5. Fusion also contains the Outside-In product that is used in Microsoft Exchange (and other software packages) for document viewing. Microsoft has addressed the vulnerabilities CVE-2013-2393, CVE-2013-3776 and CVE-2013-3781 in its August Patch Tuesday bulletin MS13-061, so the new vulnerabilities, CVE-2013-5791 and CVE-2013-3624, will likely prompt a new release of Exchange by Microsoft as well, Kandek noted.

Other product families with security updates include Peoplesoft, E-Business and Virtualization.

In order to address the massive update efficiently, Kandek recommends patching Java first, as it is the most attacked software in this release, then vulnerabilities on services that are exposed to the internet, such as Weblogic, HTTP and others. “Hopefully your databases are not directly exposed to the Internet, which should give you more time to bring them to the latest patch levels,” he said.

What’s hot on Infosecurity Magazine?