News

Oracle's Quarterly Critical Patch Update Includes 25 Java Security Patches

• By John K. Waters
• October 21, 2014

Oracle's recently released quarterly Critical Patch Update (CPU) contained 155 new security vulnerability fixes across Oracle's product lines, including 25 for new Java SE vulnerabilities and 9 affecting the Java Virtual Machine (JVM) in the Oracle Database.

The list of Java vulnerabilities addressed with this CPU includes 20 that affect client-only deployments of Java SE, 2 of which are browser-specific, four that affect client and server deployments of Java SE, and one that affects client and server deployments of the Java Secure Socket Extension (JSSE). Oracle says 22 of the fixes address vulnerabilities that may be remotely exploitable without authentication -- an attacker wouldn't need a user name or password to exploit them over a network.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One of the Java SE vulnerabilities (CVE-2014-6513) received the highest CVSS Base Score of 10. Ten others were ranked a 9 or higher, meaning they could allow a complete compromise of the targeted client, though the access complexity to exploit these vulnerabilities is considered "medium."

CVE-2014-6513 is especially worrying to John Matthew Holt, CTO of Dublin-based Java security vendor Waratek.

"With a 10.0 severity score, [it] is an extremely serious vulnerability affecting the latest versions of Java SE 6, SE 7, and SE 8," Holt told ADTmag in an e-mail. "It allows a specially crafted image to cause JVM memory corruption, and can be used to execute arbitrary injected code with the JVM's privileges. In other words, this vulnerability can be used to achieve a complete compromise of the JVM, with full access to data and the execution state of the JVM."

Oracle added some stronger-than-usual language to this quarter's CPU, noting that the company "has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes." Those malicious attackers would not have been able to exploit those vulnerabilities had the customers applied Oracle's fixes, the company pointed out, adding: "Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."

"In many instances, these fixes were published by Oracle years ago," wrote Eric P. Maurice, director of Oracle's Software Security Assurance group, on the Oracle security blog, "but their non-application by customers, particularly against Internet-facing systems, results in dangerous exposure for these customers. Keeping up with security releases is a good security practice and good IT governance."

Of the 31 patches announced for the Oracle Database, 28 were related to features implemented using Java in the Database, according to Maurice. In 1999, Oracle added the JVM to the kernel of Oracle 8i, which made it possible for Java stored procedures to be executed by the DB. "In other words," Maurice explained, "by running Java in the database server, Java applications can benefit from direct access to relational data."

"Due to the nature of the fixes required, Oracle development was not able to produce a normal RAC-rolling fix for these issues," Maurice added. "To help protect customers until they can apply the Oracle JavaVM component Database PSU [Patch Set Update], which requires downtime, Oracle produced a script that introduces new controls to prevent new Java classes from being deployed or new calls from being made to existing Java classes, while preserving the ability of the database to execute the existing Java stored procedures that customers may rely on."

Security has been a hot topic at the annual JavaOne conference in years past, but this year's event saw a kind of cooling of security concerns.

"To be sure, Oracle's Java team and the wider Java community have been doing some great work to raise security awareness and address latent vulnerabilities in both old and new Java versions," Holt said. "I applaud everyone involved. However, at the same time I caution [against] the hubristic notion that the Java community is "getting on top of the Java security issue," because something is either 100 percent secure, or it is insecure. And clearly, as this month's CPU shows us, we remain firmly as ever in the latter [state]…."

The list of Oracle products affected by the CPU also included Oracle's Database, Fusion Middleware, Enterprise Manager Grid Control, E-Business Suite, Supply Chain Product Suite, PeopleSoft Enterprise, JDEdwards EnterpriseOne, Communications Industry Suite, Retail Industry Suite, Health Sciences Industry Suite, Primavera, MySQL, the Oracle and Sun Systems Product Suite, and Oracle Linux and Virtualization.

Oracle's previous quarterly patch update, issued in July, included 113 fixes.