News

Oracle Issues Quarterly CPU, Fixes Zero Day

• By John K. Waters
• July 21, 2015

Oracle's latest quarterly Critical Patch Update (CPU) comprises 193 fixes for vulnerabilities in Oracle products, including 25 that address Java SE issues. One of the Java vulnerabilities (CVE-2015-2590 ) was reportedly already being exploited in the wild, which might account for Oracle's strongly worded admonition in its announcement:

"Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay." (Italics are Oracle's.)

CVE-2015-2590, which allowed remote attackers to affect confidentiality, integrity, and availability "via unknown vectors related to Libraries," was the first zero-day Java vulnerability to be reported in two years, according to security researchers at Trend Micro. The hacker group Pawn Storm (also known as APT28) had been using the zero-day exploit to target "certain armed forces of a NATO country and a U.S. defense organization," the researchers found. The hacker group is believed to be Russian.

Twenty-three of the Java vulnerabilities are remotely exploitable without authentication, explained Eric P. Maurice, director of Oracle's Software Security Assurance group, in an Oracle Security blog post. Sixteen of the Java SE fixes are for Java client-only; one is for the client installation of Java SE; and five are for client and server deployment.

This CPU also includes a fix specifically for the Mac platform, and four for the Java Secure Socket Extension (JSSE) client and server deployments.

Seven of the 25 Java vulnerabilities addressed in this CPU earned a CVSS rating of 10.0 -- very serious. Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. This CPU relied on the 2.0 version of that rating system, but version 3.0 is now available and will likely be used in the next quarterly update. The Forum of Incident Response and Security Teams (FIRST) announced the availability of CVSS 3.0 in June. The latest version has been under development for three years.

John Matthew Holt, CTO of Dublin-based Java security vendor Waratek, pointed out in an e-mail that, of the 25 CVEs fixed in this patch, 24 of them (96 percent) affect Java SE 8, the latest and most up-to-date Java version -- revealing, he said, that the security of Java's APIs has not significantly improved over time. He also noted that Java SE 7 is no longer being provided with public security updates. "So enterprises running Java SE 7 applications -- which is virtually every large enterprise today -- cannot automatically download and apply these important security fixes," he said.

With this CPU Oracle also provided patches for its other products, including Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.