News

Oracle's Quarterly Security Patch Includes 25 Java SE Fixes

• By John K. Waters
• October 26, 2015

Oracle recently issued the last of its Critical Patch Updates (CPUs) for the year. The latest update offers fixes for 154 new security vulnerabilities in virtually all Oracle products, including 25 new security fixes for Java SE. Twenty-four of those Java vulnerabilities are remotely exploitable without authentication -- in other words, they can be exploited over a network without the need for a username and password.

Twenty of the new Java SE vulnerabilities affect Java in the browser only; the other five affect both client and server deployments.

The CPUs are issued on a quarterly schedule announced at the beginning of the year. The purpose of that schedule is to provide users of Oracle products with a level of predictability that will foster regular maintenance activity, the company has said. And yet, observed Eric P. Maurice, director of Oracle's Software Security Assurance group, in a blog post, the company continues to receive reports of malicious exploitation of previously disclosed vulnerabilities.

"In some instances, it was reported that malicious attackers were successful because targeted Oracle customers had not applied available security patches," Maurice wrote.

Each CPU is a set of patches for multiple vulnerabilities put together since the previous update. It does not include the security advisories from previous updates; those are available on the Oracle Technology Network Web site.

"The problem of the non-application of security fixes is all too common in the industry," Maurice added, "particularly around complex enterprise applications, due to their complexity, need for near-complete availability, and need for patch testing and validation prior to deployment in production."

The good news: most CPUs are cumulative, which means the application of the October 2015 update should resolve new vulnerabilities and previously reported security issues.

Not surprisingly, Oracle recommends that CPUs be applied as soon as possible. This recommendation is particularly important now, Maurice wrote, because this CPU includes a number of fixes for very severe vulnerabilities.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number. Seven of the Java SE vulnerabilities (CVE-2015-483, 4881, 4843, 4883, 4860, 4805 and 4844) earned a CVSS Base Score of 10.0, the most severe; one scored 9.3, and another a 7.6. All the rest scored less than 7.0.

Oracle advisers Java home users to visit the java.com Web site to verify the security status of the Java plugins in their Web browsers, and to remove obsolete Java SE versions from their desktop if they are not needed.

As of the CPU issue date, Oracle had received no reports that any of the most severe vulnerabilities had been successfully exploited in the wild. But the company is recommending strongly that all users of its products apply the necessary patches as soon as possible.

"[I]t is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort," Maurice wrote. "Keeping up with security releases is important to help preserve a security-in-depth posture."

Oracle also released the CPU schedule for 2016:

• 19 January 2016
• 19 April 2016
• 19 July 2016
• 18 October 2016