Oracle has finally released its Critical Patch Update (CPU) for October 2013, and for the first time ever has incorporated Java into the patch. Previously Oracle had released Java patches on a separate cycle every 4 months. The net effect of the all-inclusive patch is a massive update which aims to fix 120 flaws across the majority of Oracle’s product families.
Programming language Java has proved popular because software written with it can easily be made to run on many different types of computer. However, Oracle has had a torrid time over the last few months. Targeted by hackers, Oracle has rarely been out of the news. There had been hopes that the Java 7 Update 11 would finally fix the problems, but unfortunately the patch, which was meant to mitigate two zero-day vulnerabilities in Java that were being actively exploited by attackers, did not deliver in the opinion of cyber-security experts, and merely helped to relocate the threat elsewhere, leaving Java still vulnerable.
The new version, Java 7 update 45, fixes 51 separate vulnerabilities in the Java system used on billions of devices. Oracle maintains that 12 of these vulnerabilities, that is those having the highest CVSSv2 scores of 10, were the most popular target for cyber-thieves and malware writers and allowed hackers to take full control over attacked machines over the network without requiring authentication. In an advisory press release about the update, Oracle urged customers to patch the software as soon as possible “due to the threat posed by a successful attack”.
Speaking about Oracle’s latest update in a blog post, Wolfgang Kandek, Qualys’ CTO and security expert commented that if the bugs were exploited, attackers could bypass ID controls and take over a target system:
“[Java] should be on the top of your patch list .The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830.”
Java 6 is also known to be vulnerable to 11 of the 12 highly critical vulnerabilities referred to in the latest update; however, unfortunately there are no more public patches for Java 6. For those affected by this particular scenario Kandek recommends “isolating the machine that needs Java 6 running and not use it for any other activities that connect it to the internet, such as email and browsing.”
Of the other vulnerabilities identified by Oracle, the remaining 76 addressed flaws mostly allow for remote unauthenticated access for the attacker and are critical as well, particularly on applications that are exposed to the internet. For instance, Oracle’s RDBMS has four updates this quarter, all being remotely exploitable. The XML parser vulnerability has the highest CVSS score of 6 (on a scale of 10). One mitigating factor is that Oracle databases are typically not exposed the internet.
There are also 8 new vulnerabilities addressed in Oracle’s MySQL database, with the highest score at 8.5 in the MySQL Monitoring component. However, all vulnerabilities that can be accessed through the network require authentication, including two that are remotely accessible and have a CVSS score of 6.8:
“MySQL is often found exposed to the Internet, even though this is not considered best practice,” Kandek said. “If you use MySQL in your organization, it makes sense to run a perimeter scan to collect information on all databases externally exposed.”
The Sun product family has 12 updates, with a high score of 6.9 in a SPARC server management module (ILOM).
“Usually access to these modules should be tightly controlled as they provide very powerful management functions such as power-on/off, etc., but we have seen just recently some research that shows that these interfaces often end up on the Internet,” he noted. “If you have Sun Solaris servers in your organization, review these patches and start with the machines on your perimeter and DMZ.”
Oracle’s Fusion Middleware has a total of 17 vulnerabilities, of which 12 are accessible remotely with a maximum CVSS score of 7.5. Fusion also contains the Outside-In product that is used in Microsoft Exchange (and other software packages) for document viewing. Microsoft has addressed the vulnerabilities CVE-2013-2393, CVE-2013-3776 and CVE-2013-3781 in its August Patch Tuesday bulletin MS13-061, so the new vulnerabilities, CVE-2013-5791 and CVE-2013-3624, will likely prompt a new release of Exchange by Microsoft as well, Kandek noted.
Such is the size and scope of this latest update that Kandek believes the only way the task can be carried out efficiently and effectively is by carrying out the Java patch first. He argues that as Java is the most-attacked software in the latest release, it therefore warrants the greatest attention. After that vulnerabilities on services that are exposed to the internet, such as Weblogic, HTTP and others can then be addressed.
If you would like to find out how to protect your business from cyber-attacks or would like help with security reviews, penetration testing or web security solutions, please contact Krypsys on 01273 044072 or [email protected].