Oracle has released its quarterly patch round and it’s another big one, with fixes for 154 new security vulnerabilities across a wide range of products including one which has been exploited in a suspected nation state attack on the White House.
The product families affected include Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.
One of the most notable flaws is CVE-2015-4902, used by Pawn Storm attackers to bypass the click-to-play protection in Java in a campaign against NATO members and the White House earlier this year, according to Trend Micro.
In fact, the vulnerabilities in Java and Middleware should come near the top of the priority list, as 24 and 16 of them respectively are remotely exploitable, according to Shavlik product manager Chris Goettl.
“Next pay attention to CVSS, as it can be a good indicator. However, keep in mind that in 2014 of all CVEs observed that are being exploited, 97% of those exploits were across only 10 CVEs, and many were more than 10 years old and with CVSS scores lower than 7.0,” he added.
“For this reason, you may also want to factor in access complexity, as a low complexity score indicates a vulnerability that will be easier to exploit. Middleware has a few CVSS with a score of 7.5 which are also low complexity. Java has seven vulnerabilities scoring 10.0 CVSS and all of those are low complexity. These should be top priorities.”
Oracle software security assurance director, Eric Maurice, urged sysadmins to apply patches as soon as possible due to the “severity of a number of vulnerabilities fixed” in this update round.
“As of October 19th, the company’s security team didn’t have any indication that any of the most severe vulnerabilities fixed in this Critical Patch Update had been successfully exploited ‘in the wild’ (some of these bugs were discovered internally as part of our ongoing assurance effort),” he explained.
“However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort. Keeping up with security releases is important to help preserve a security-in-depth posture.”