Administrators who support Java applications and various Oracle databases should pay close attention to the latest quarterly security update from Oracle, as more than a third of the security fixes affect Java, MySQL, and Oracle Database Server. Several of these vulnerabilities are considered critical and could be remotely exploited without requiring authentication, Oracle said.
Oracle doesn't state in the Critical Patch Update (CPU) whether any of the vulnerabilities are currently being exploited in the wild. However, it warns that attackers continue to target security holes for which fixes are already available. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay," the company said in an advisory.
Oracle has switched to the Common Vulnerability Scoring System 3.0 scale to indicate the severity of the flaws fixed in the CPU. The advisory is also available with CVSS 2.0, but going forward, the CPU will rely on the newer scale.
Losing interest in database fixes
The size of this CPU -- 136 fixes -- is actually the second smallest over the past year. Last April's CPU fixed a mere 98 flaws, but subsequent updates have been progressively larger, peaking at 248 patches in January's gargantuan CPU. More than the size of the CPU itself, what's striking is the small number of patches for Oracle Database. Past CPUs have hovered around 10 Oracle Database Server patches, but this month there are only five. Maybe it has something to do with April -- Oracle patched a mere four flaws last April.
Of the five security fixes for Oracle Database Server, two can be remotely exploited over a network without the attacker having valid login credentials. None of the flaws applies to client-only installations or cases where the organization does not have Oracle Database Server. The most serious vulnerability is a critical flaw in the Java VM component (CVE-2016-3454) in Oracle Database Server versions 11.2.04, 18.104.22.168, and 22.214.171.124. Oracle assigned a CVSS 3.0 rating of 9.0 (CVSS 2.0 rating of 7.6), and warned that the attack complexity for this flaw was high. A successful attack would likely result in total information disclosure and give the attacker complete control over the targeted system.
Considering how many organizations are locked into paying expensive legacy contracts because their critical systems rely on Oracle databases, it's worrying that the bulk of the CPUs for the past few years has fixed issues in nondatabase products. Like any other software, Oracle Database has bugs. And considering the amount of sensitive data that organizations store, the company should focus more attention on finding and patching those issues. The fact that it hasn't been doing so is another indicator Oracle is moving away from its database roots.
MySQL still gets attention
Oracle's lack of attention on databases may be confined to its flagship database, since the CPU did not neglect MySQL. Of the 31 new security fixes for Oracle MySQL, four could be exploited remotely without authentication. Both critical vulnerabilities in MySQL Server's packaging subcomponent (CVE-2016-0705) and the critical vulnerability in MySQL Server's pluggable authentication subcomponent (CVE-2016-0639) affect versions 5.6.29 and earlier as well as 5.7.11 and earlier. Oracle assigned a CVSS 3.0 rating of 9.8 (CVSS 2.0 rating of 10.0) and warned that the attack complexity for this flaw was low, meaning attackers don't have to meet any special requirements to access the bug. A successful attack would result in total information disclosure and complete control over the targeted system.
The other two flaws that can be remotely exploited are not rated critical, but should be considered high-priority. The vulnerability in MySQL Server in the encryption subcomponent (CVE-2015-3194) has a CVSS 3.0 rating of 7.5 and affects versions 5.6.28 and earlier, as well as 5.7.10 and earlier. A successful attack would result in the system no longer being available.
The other is a vulnerability in MySQL Server's connection handling subcomponent (CSV-2016-2047) that has a CVSS 3.0 rating of 5.9. This flaw exists in versions 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier. An attacker who succeeds in exploiting this flaw would be able to modify information on the server.
Administrators can reduce the risk of attacks targeting these flaws by limiting the machines that can form a direct connection using the MySQL protocol.
Patch Java or dump it
Oracle patched nine security flaws in Oracle Java SE, which affects Java applets and Java Web Start applications. All of the vulnerabilities can be remotely exploited without a username or password, but the severity depends on the level of privileges assigned to the user. If the user has administrator privileges -- unfortunately still common on Windows systems -- the severity is much higher than if the user has restricted access, a scenario more common for Linux and Solaris users.
Oracle said the attack complexity for the flaws in Java SE's 2D subcomponent (CVE 2016-3443, base score of 9.6 under CVSS 3.0), in Java SE and Java SE Embedded's hotspot subcomponent (CVE-2016-0687, base score of 9.6 under CVSS 3.0), and in Java SE and Java SE Embedded's serialization subcomponent (CVE-2016-0686, base score of 9.6 under CVSS 3.0), was low. Affected versions include Java SE 6u113, 7u99, 8u77, and JavaSE Embedded 8u77.
The three flaws affect Java deployments that load and run untrusted code, such as clients running sandboxed Java Web Start applications or sandboxed Java applet, Oracle said in its advisory. The vulnerabilities do not apply in server-side Java deployments that load and run only trusted code.
The attack complexity for the bug in Java SE, Java SE Embedded, and JRockit's JMX sub-component (CVE-2016-3427) is high, meaning the attacker requires perfect timing or circumstances other than user interaction in order to succeed. The vulnerability applies to both client- and server-side Java, as it can be exploited through sandboxed Java Web Start applications, sandboxed Java applets, and by supplying data to APIs not using Java sandboxes (a Web service).
The four critical vulnerabilities, if exploited successfully, would result in total information disclosure and give the attacker complete control over the targeted system.
Java applets are still around, especially in gaming, remote access tools, and educational software. The good news is that exploit kit writers seem to be ignoring Java vulnerabilities in favor of Adobe Flash. All of the top 10 vulnerabilities targeted by exploit kits during 2015 are related to Adobe Flash, according to NTT Group's latest global threat intelligence report.
Even so, don't ignore Java. Oracle pushed out an emergency update back in March for a critical flaw in both the desktop and browser plug-in versions. CVE-2016-0636, which affected Oracle Java SE 7u97, 8u73 and 8u74, scored a 9.3 on the CVSS 2.0. In this CPU, Oracle reminded affected users to apply the fixes if they haven't already done so.
It's already been a busy month, what with last week's Patch Tuesday updates from Microsoft and Adobe, the latest warnings about JBoss, and administrators still fixing the Badlock flaw in Samba. Don't delay too long applying all these patches, since attackers will find and take advantage of the security flaw that gets skipped over.