Oracle has published their Critical Patch Update (CPU) for January 2016. The Oracle CPU is quarterly and addresses the flaws in large Oracle’s product line, including their core product the relational database, but also in a large number of acquisitions like Solaris, MySQL, Java and many of the end-user products, such as JDEdwards ERP, Peoplesoft and CRM.
This quarter’s update fixes 248 vulnerabilities in over 50 different product lines. You will have to read carefully through the update and compare with your application inventory to see if you are affected. If, for example you run Oracle’s GoldenGate application you have two critical vulnerabilities that can be remotely triggered.
On the desktop Java has been a technology that has been attacked frequently. Attackers like applet vector, serving a Java application through a webpage and taking control of the targeted machine. Oracle has been working over the last year to close down that vector by enabling it only selectively through Deployment Rulesets. The browser vendors have also spend considerable amounts of time to make Java only execute when fully updated or when whitelisted with click-to-play. Microsoft has added Java whitelisting into its EMET tool to add another layer of control. All this has resulted in more stable environment for Java and we have not heard of its use in any of the main attack campaigns.
This update addresses a rather low number vulnerabilities in Java, reflecting that stable environment. In total there are eight, three of them critical with a CVSS score of 10. Of the three two apply only to the client-side (the aforementioned scenario that has gotten so much attention), but one also applies to server deployments and should be looked at by your server team. The new version is Oracle Java 8 update 66, Oracle also has patches for the legacy versions 7 (7 update 91) and 6 (6 update 105) that are not available for public download anymore.
If you have no strong reason to stay on these legacy versions, you should update to Java 8. If you have an application that requires a certain legacy version take a look at Deployment Rulesets that allow to run an updated version of Java everywhere but in some whitelisted cases where an older version (installed in parallel) is used.
The Oracle RDBMS has seven vulnerabilities addressed, with the highest score CVSS 9.0, but only on certain RDBMS configurations on Windows. On other OSs the maximum score is CVSS 6.5.
MySQL addresses 22 vulnerabilities, with the highest score of CVSS 7.2 reached only when running the mysql client locally as root. Running as root is most likely unnecessary so you might already be covered by a best practice for that case.
Oracle virtualisation got nine updates. If you use it in production they are worth looking at. I use Oracle VirtualBox frequently but in a lab setting where the addressed vulnerabilities won’t be exercised any time soon, i.e. my interaction with external websites is minimal. I will update during my next major update cycle for the system in question.
There are 27 fixes for Oracle’s middleware. This contains a number of patches for Weblogic with a score of CVSS 7.5. If you run Weblogic this is worth looking at.
With 248 fixes it is important that you know what applications you are running within you company. A complete inventory of your servers and installed software comes in handy to augment a manual application registry that many companies have made mandatory already. Scanning all of your machines will find applications that you were not aware of, plus versions of programs that are outdated and potentially even end-of-life.