Oracle’s Quarterly Critical Patch Update (CPU) is never a minor event. In April we saw 104 security issues addressed, in January it was 144. This time around we are faced with 113 updates. These updates span the entire portfolio of Oracle software, including the JRE, Solaris, Oracle Database, MySQL, and numerous web and middleware products.
What stands out is the belated fix for Heartbleed in MySQL Enterprise Server, coming fully 3 months after Oracle fixed that issue in their other products, and the high risk vulnerabilities fixed in Oracle Database and the JRE.
It’s somewhat shocking to see that the top two issues (CVE-2013-3751 & CVE-2013-3774) being fixed in Oracle Database 12 were fixed a year ago for Oracle Database 11. That means that Oracle quite likely knew that version 12 was vulnerable when they released it last June and have left their customers exposed for the past year.
The older patches in Oracle Fusion Middleware (linked to CVE-2013-1741 and others) seem to be a different beast. This is likely Oracle taking upstream fixes from an open source vendor (Mozilla in this case) and redistributing them to their paying, affected customers because they re-use the vulnerable component.
The JRE patches address 20 different issues with numerous high risk vulnerabilities in each of the latest supported versions of the JRE, as expected these are exploitable through sandboxed Java Web Start applications and applets. In the worst of these an attacker could completely compromise target systems by inducing a user to visit a malicious web site, or all too common, a compromised “normal” web site that is serving malicious content.
Recent improvements to the control of when the browser may run Java plugins have somewhat mitigated the risk for those users who have been keeping their JRE up to date and actually pay attention to the warnings and controls. That said, this is still going to be a major risk and we will have to monitor for co-publication of exploit code from various disclosure systems. The JRE fixes will be the top patching priority for almost all home and enterprise end users. The Oracle Database issues will be the main issue for enterprise database administrators.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.