News

Oracle's Quarterly Critical Patch Update Is Another Whopper

• By John K. Waters
• October 26, 2016

Oracle Corp.'s latest quarterly Critical Patch Update (CPU), issued last week, was the second-largest ever, providing fixes for 253 security vulnerabilities for 76 of the company's products, including seven security updates for Java SE 6, 7 and 8, and eight for the Java EE-based WebLogic and GlassFish application servers. Oracle's July CPU provided fixes for a record 276 security flaws in the company's products.

All seven of the Java Platform vulnerabilities addressed in this CPU are remotely exploitable without authentication (exploited over a network without user credentials). Three of the vulnerabilities earned a base Common Vulnerability Scoring System (CVSS) score of 9.6 (of 10.0). Oracle uses version 3 of CVSS to rate the ease of exploitation and severity of the security holes it finds in its products. Each vulnerability is issued a unique CVE number.

The CVSS scores apply to Java deployments "typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the Internet) and rely on the Java sandbox for security," the update reads. But they do not apply to Java server deployments that load and run only trusted code, that was, for example, installed by an administrator. A CVSS score of 9.6 for a Java SE flaw drops to 7.1 in Solaris and Linux deployments, according to the Oracle advisory.

Most of the vulnerabilities addressed in this CPU are in Oracle's middleware products, including two vulnerabilities in its core Oracle Database Server, 31 in its MySQL database, 13 in Oracle Linux and virtualization products and 16 in the Sun Systems suite (Solaris and Sparc Enterprise).

Earlier this year, Oracle settled with the Federal Trade Commission (FTC) over charges that the company deceived consumers by not informing them that its quarterly security updates left older, still vulnerable versions of Java running on some computers. Under the agreement, Oracle is required to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed, and how to easily remove them.

Oracle includes this statement with its CPUs: "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes."

The October CPU is Oracle's last patch update for 2016, with the next regularly scheduled update currently set for Jan. 17, 2017.

More information is available online. Users running Java SE with a browser can download the latest release from the Java download page. Users on the Windows and macOS platforms can also use automatic updates to get the latest release, Oracle said.