News

Oracle Issues First Security Patch of the Year

• By John K. Waters
• January 25, 2017

Oracle Corp. issued its first Critical Patch Update (CPU) of 2017 last week, providing fixes for 270 vulnerabilities across 45 products. This near-record CPU (the July 2016 update fixed 276 vulnerabilities) includes 17 new security fixes for Java SE, Java SE Embedded, and JRockit, 16 of which are exploitable without authentication.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Each vulnerability is issued a unique CVE number. Sixteen of the vulnerabilities listed in this CPU earned high-risk ratings.

Three of those high-risk scores applied to Java security holes (CVEs 2017-3289, 2017-3272 and 2017-3241), which earned CVSS v3.0 scores of 9.6, 9.6 and 9.0 out of 10, respectively.

The two most serious Java vulnerabilities patched in this CPU (CVE-2017-3289 and 2017-3272) apply to Java deployments, Oracle said in its advisory, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code, such as code that comes from the Internet, and rely on the Java sandbox for security. They do not apply to Java deployments that load and run only trusted code, such as code installed by an administrator, typically on servers.

Oracle also provided a record 121 fixes for vulnerabilities found in applications in its E-Business Suite (EBS), 118 of which are remotely exploitable without authentication. In their assessment of this CPU, security researchers at ERPScan, concluded that the high number of vulnerabilities addressed in the EBS indicated a change of focus, from Oracle's Database and Java SE products to "critical business applications."

"Oracle E-Business Suite (EBS) is the main business software developed by Oracle," ERPScan co-founder and CTO Polyakov Alexander told ADTmag in an e-mail. "As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization."

ERPScan is responsible for the discovery of two critical vulnerabilities closed in this CPU: XSS in Oracle PeopleSoft (CVE-2017-3300), which allows an attacker to use a special HTTP request to hijack session data of administrators or users; and DoS in Oracle OpenJDK (CVE-2017-3241), which allows an attacker to cause Denial of Service to an application using OpenJDK Runtime Environment 1.8 as its core runtime engine.

Oracle also included patches in this CPU for vulnerabilities in its Database Server, Enterprise Manager Grid Control, Industry Applications, Fusion Middleware, Sun Products, and MySQL.

Each CPU is a set of patches for multiple vulnerabilities put together since the previous update. They do not include the security advisories from previous updates; those are available on the Oracle Technology Network Web site. However, most CPUs are cumulative, Oracle has said, which means the application of this CPU should resolve new vulnerabilities and previously-reported security issues.

Oracle's settlement with the Federal Trade Commission (FTC) over charges that the company deceived consumers by not informing them that its quarterly security updates left older, still vulnerable versions of Java running on some computers requires the company to disclose "clearly and conspicuously" to users during the update process which iterations of Java SE are still running on their machines, which of those iterations pose security risks if not removed, and how to easily remove them.

Oracle's CPUs are issued on a quarterly schedule announced at the beginning of the year. The purpose of that schedule is to provide users of Oracle products with a level of predictability that will foster regular maintenance activity, the company has said. Here's Oracle's CPU schedule for the rest of 2017:

• 18 April 2017
• 18 July 2017
• 17 October 2017
• 16 January 2018