Oracle released its quarterly CPU (Critical Patch Update), addressing a whopping 276 vulnerabilities across 84 products, an all-time high for Oracle. The vast majority of the fixes are in Oracle's Fusion Middleware and other applications. Oracle Database, ostensibly the company's flagship product, continues to get less and less attention from the security team.
The CPU fixed 39 vulnerabilities in Fusion Middleware; 34 in the Sun Systems suite, which includes Solaris and SPARC Enterprise; and 27 in Supply Chain. MySQL, which Oracle acquired as part of its Sun deal, received 22 fixes, while only nine fixes were released Oracle Database Server. Java, which continues to be a favorite target for web-based attacks, received 13 fixes. The CPU addressed only four security flaws in Oracle Linux and virtualization products.
The relatively small number of security updates doesn't mean Database Server is more secure than other Oracle products and doesn't have any vulnerabilities. In the past, researchers have reported Oracle sitting on vulnerability reports and being slow to release the fixes. The world's largest enterprises run Oracle databases, so there's a lot of valuable data stored on those servers. It's perplexing that Database Server doesn't seem to be as big a priority for Oracle as some of the other products in the portfolio.
"Typically, databases are not exposed directly to the internet, but as they hold the crown jewels of any organization, we recommend patching immediately," said Amol Sarwate, director of engineering at Qualys.
Of the nine Database Server vulnerabilities fixed in this CPU, the flaw in the OJVM component (CVE-2016-3609) is rated critical. The "easily exploitable vulnerability" would allow a low-privilege attacker with network access via HTTPS, but has a Create Session privilege to compromise and takeover the Oracle JVM. The CVSS v3 base score is 9.0 on the Windows platform because the vulnerability can impact confidentiality of the data, the integrity of the database, and the availability of the server. The same vulnerability has a CVSS v3 base score of 8.0 on Linux systems. Database Server 184.108.40.206, 220.127.116.11, and 18.104.22.168 are affected.
"Successful attacks require human interaction from a person other than the attacker, and while the vulnerability is in OJVM, attacks may significantly impact additional products," Oracle said in the detailed version of its CPU advisory. "Successful attacks of this vulnerability can result in takeover of Oracle Directory Server Enterprise Edition."
The other high-priority vulnerability in Oracle Database is in the JDBC component (CVE-2016-3506) and has a CVSS v3.0 base score of 8.1. An unauthenticated attacker with network access via Oracle Net would be able to compromise and take over the JDBC. Oracle called this flaw a "difficult-to-exploit vulnerability."
Oracle's other database, MySQL, fared better, as most of fixes were for low- to medium-severity flaws.
The highest-severity flaw, rated CVSS v3.0 base score 8.1, is in the Server Parser subcomponent (CVE-2016-3477). Versions 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier are affected. The vulnerability allows unauthenticated attackers with login access to the infrastructure where MySQL Server executes to successfully compromise and take over the database server.
The other vulnerability, in Server Option subcomponent, (CVE-2016-3471) is rated CVSS v3 base score 7.5. Affecting versions 5.5.45 and earlier and 5.6.26 and earlier, this flaw is similar to the other higher-rated vulnerability, except this one requires the attacker to have high privileges.
Java gets particular attention in this update, with fixes for four critical vulnerabilities. More than half of the Java vulnerabilities addressed in this CPU are remotely exploitable over a network.
"Customers really need to apply these Java CPU patches as soon as possible, as several high-CVSS vulnerabilities in the HotSpot JVM internals are being patched," said Waratek CTO John Matthew Holt.
An "easily exploitable vulnerability" in Java SE 8u92 in the HotsSpot JVM (CVE-2016-3587) allows an unauthenticated attacker with network access via multiple protocols to compromise Java. The vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code, Oracle said in its advisory. The vulnerability does not affect Java deployments that load and run only trusted code. The CVSS v3 base score is 9.6. A similar "easily exploitable vulnerability" in HotSpot (CVE-2016-3606) affecting Java SE 7u101 and 8u92 also received a CVSS v3 base score of 9.6.
These vulnerabilities were likely related to Java features introduced in versions Java SE 7 and above that support the "invokedynamic" feature that enables dynamic code execution and scripting, Holt said.
Organizations unable to immediately apply the patches should consider virtual patching to "provide immediate, interim security controls," Holt said. Application technologies like Runtime Application Self-Protection that provide virtual patching capabilities give organizations an alternative if they can't take servers offline for immediate patching.
This update addresses a lot of high-priority vulnerabilities. Of the 276, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. Enterprises that use Oracle Secure Global Desktop should make sure to update, as it has an SSL problem with a CVSS v3 base score 9.8 that lets attackers delete data or stage a denial of service attack.
The CPU comes out quarterly, and Oracle is addressing vulnerabilities across an extremely large product portfolio, so it makes sense that the CPU is going to be much larger in size compared to security updates from other companies. Microsoft's Patch Tuesday releases, for example, rarely take on more than 60 vulnerabilities in one month.
Even so, 276 vulnerabilities in a single update is still extremely large, especially since the last CPU released in April had only 136 patches. The latest updates will mean a lot of time and work for Oracle and Java administrators to test and deploy the security fixes.