On Tuesday Oracle released its quarterly Critical Patch Update, which addressed a total of 169 vulnerabilities across multiple products, including Java SE (Standard Edition).
The update also includes a fix for a backdoor-like vulnerability in its E-Business Suite, which can be exploited to fully compromise the database server.
“This Oracle Critical Patch Update (CPU) contains four ‘perfect-10’ highest risk vulnerabilities in Java SE and is dominated by sandbox bypasses. Four out-of-every five identified CVEs in the CPU can be exploited for full or partial sandbox bypass,” commented Waratek CTO John Matthew Holt.
“It is a modern day paradox that Java technology, which rocketed to prominence on the promise of its ‘secure sandbox’ design, is vulnerable to 16 new sandbox bypasses. That represents one new Java sandbox bypass every 120 hours since the last CPU,” he noted.
“The threats associated sandbox bypass vulnerabilities in this CPU range from reading and writing local data to complete ‘operating system takeover including arbitrary code execution’. Complete OS takeover vulnerabilities are the worst possible kind because attackers can use these vulnerabilities to not just steal sensitive or confidential data, but to install malware, steal passwords, assume a user’s identity, delete files, and use the compromised machine as a pivot point to launch deeper attacks to other lateral machines within the same local area network.”
“Java’s security record cannot be attributed to Oracle. Instead, it is a function of legacy flaws in Java’s SecurityManager and Security Architecture,” he added. “Oracle is doing an admirable job addressing Java vulnerabilities. However, until containerization and automatic runtime self-protection is incorporated in Java, its security record is unlikely to improve.”
For more details about the CPU check out this post on the Oracle Software Security Assurance Blog, and when you implement the patches, be sure to download them directly from Oracle’s site, as the company has spotted several malware sites actively offering fake Oracle patches for download.