News

8 Critical Java Security Holes Fixed by Quarterly Patch

• By John K. Waters
• January 27, 2016

Oracle Corp.'s latest Critical Patch Update (CPU), published last week, includes fixes for eight Java security holes, three of which were rated critical, earning Common Vulnerability Scoring Standard (CVSS) scores of 10.0.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number.

The company issued patches for a total of 248 vulnerabilities across its product lines, addressing seven vulnerabilities in the Oracle Database Server, three in the GoldenGate component, eight in Java SE, and 22 in Oracle MySQL. The update also closed nine holes in Oracle Virtualization and 23 in Oracle Sun Systems Product Suite, which includes Solaris. Most of the fixes applied to the company's enterprise applications (EBS, Fusion Middleware and PeopleSoft).

Each CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network Web site. However, most CPUs are cumulative, Oracle says, which means the application of this CPU should resolve new vulnerabilities and previously reported security issues.

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," the company said in its post. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively supported versions and apply Critical Patch Update fixes without delay."

In his quarterly blog post announcing the CPU, Eric P. Maurice, director of Oracle's Software Security Assurance group, also offered what has become a regular admonition to home users to take the patch update seriously. "Oracle strongly recommends that Java home users visit the java.com Web site," he wrote, "to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed."

Oracle recently settled with the Federal Trade Commission (FTC) over charges that the company deceived consumers by not informing them that its quarterly security updates left older, still vulnerable versions of Java running on some computers. Under the agreement, Oracle is required to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed, and how to easily remove them.

This CPU also included a note reminding users about a previously reported vulnerability -- CVE-2015-4852, the so-called deserialization bug -- with a strong recommendation to apply the fixes and/or configuration steps that were previously announced. Serialization is the process of converting an object into a stream of bytes for transport and storage. Deserialization reverses the process when the data is received. That vulnerability allows attackers to send malicious objects to be deserialized. It is a remote code execution vulnerability, which means it can be exploited over a network without the need for a username and password.

Oracle's CPUs are issued on a quarterly schedule announced at the beginning of the year. The purpose of that schedule is to provide users of Oracle products with a level of predictability that will foster regular maintenance activity, the company has said. Here's Oracle's CPU schedule for 2016:

• 19 January 2016
• 19 April 2016
• 19 July 2016
• 18 October 2016