Oracle's Quarterly CPU Fixes Record Number of Vulnerabilities

Oracle Corp.'s latest Critical Patch Update (CPU), issued this week, fixed a record 276 vulnerabilities in a range of the company's products, including 13 in Java SE, some of which received high-severity scores. The number of fixes in this CPU beat the previous record of 248 announced in January.

More than half of the Java SE vulnerabilities in this CPU are remotely exploitable over a network and received high vulnerability ratings on the Common Vulnerability Scoring Systems (CVSS). Oracle uses the CVSS to rate the ease of exploitation and severity of the security holes it finds in its products. Each vulnerability is issued a unique CVE number.

Two of the Java vulnerabilities (CVE-2016-3587 and CVE-2016-3606) earned a CVSS score of 9.6 (the highest is 10.0), and both allow remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot VM. John Matthew Holt, founder and CTO of Dublin-based Java security vendor Waratek, pointed out that these vulnerabilities relate to Java features introduced in versions Java SE 7 and above, which support the "invokedynamic" feature that enables dynamic code execution and scripting. Holt also noted that the less severe CVE-2016-3550 (CVSS score of 4.3) also applies to the HotSpot JVM internals for Java SE versions 6, 7, and 8. He advised owners of Java SE 6 applications to prioritize patching with this CPU, because this fix applies to the core HotSpot JVM software.

"Several other internal HotSpot JVM vulnerabilities have also been patched in earlier quarters," Holt said in an e-mail. "Application owners who did not patch in the previous quarters should now patch with this latest CPU, which will provide the combined benefit of all current HotSpot JVM patches in a single patch cycle.

"In circumstances where immediate physical patching is not feasible," he added, "organizations should apply virtual patching to provide immediate, interim security controls. Also, organizations should be actively planning for the frequency and depth of security fixes to increase in the years ahead. Emerging application security technologies like Runtime Application Self-Protection (RASP) that provide virtual patching are a good alternative for applications that organizations can't or don't want to take offline for patching."

Analyst firm Gartner Inc. has defined RASP as "a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks." Holt's company makes a containerized RASP product, called Locker, which provides security monitoring, policy enforcement, and attack blocking from within the Java Virtual Machine (JVM).

Oracle's quarterly CPUs are sets of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network Web site. However, most CPUs are cumulative, Oracle says, which means the application of the fixes in this CPU should resolve new vulnerabilities and previously-reported security issues.

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," the company warned in a statement. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay." (Italics theirs.)

Oracle settled with the Federal Trade Commission (FTC) over charges that the company deceived consumers by not informing them that its quarterly security updates left older, still vulnerable versions of Java running on some computers. Under the agreement, Oracle is required to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed, and how to easily remove them.

"Customers really do need to apply these Java CPU patches as soon as possible," Holt said, "as several high-CVSS vulnerabilities in the HotSpot JVM internals are being patched."

This quarterly CPU provided fixes for 84 products, including: Oracle Database Server, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products and Oracle MySQL, among others.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].