Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Addresses 128 Vulnerabilities in Massive Critical Patch Update (CPU)

Oracle on Tuesday released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. 

Oracle on Tuesday released its quarterly Critical Patch Update (CPU) for April, which addressed a whopping 128 security issues across multiple product families. 

Most concerning is that a large number of the vulnerabilities listed are remotely exploitable without authentication, including (4) in its flagship Oracle Database Server, all which can be remotely exploitable without authentication, i.e., exploited over a network without the need for a username and password.

The Critical Patch Update contains 29 new security fixes for Oracle Fusion Middleware, 22 of which are remotely exploitable.

Oracle LogoMoving on, the update contains 6 new security fixes for the Oracle E-Business Suite, All remotely exploitable.

While the database giant released 25 new security fixes for MySQL, only (1) was said to be remotely exploitable without authentication.

Oracle also released a Java SE Critical Patch Update to address multiple vulnerabilities affecting the Java Runtime Environment (JRE).

“The Java CPU contains 19 CVEs with CVSS base score of 10 (the highest you can go) indicating that exploiting the vulnerability is not particularly challenging and could give complete control of compromised systems,” said Ross Barrett, Senior Manager of Security Engineering at Rapid7.

“For all of these vulnerabilities, the browser is the vector of exploit,” Barrett said. “For one of those (CVE-2013-1537) some Java server configurations will also be exposed. In total, there are 42 distinct CVEs for Java this quarter, of which 39 are through the Java Web Start plugin and can be remotely exploited without authentication.”

Related ResourceHow Secure is Your Code? Test Your Code Here For Free

Advertisement. Scroll to continue reading.

Other vulnerabilities addressed in this Critical Patch Update include:

• (3) Vulnerabilities in the Oracle Supply Chain Products Suite, (1) which may be remotely exploitable without authentication,

• (11) vulnerabilities for Oracle PeopleSoft Products, (6) remotely exploitable without authentication

• (8) vulnerability fixes for Oracle Siebel CRM, (1) which may be remotely exploitable without authentication.

• (3) fixes for Oracle Industry Applications, none which are said to be remotely exploitable without authentication.

• (18) security fixes for Oracle Financial Services Software, (1) of these which may be remotely exploitable without authentication.

• (2) new security fixes for the Oracle Primavera Products Suite, (1) of these which can be remotely exploitable without authentication.

• (1) new security fix for Oracle Support Tools which is not remotely exploitable without authentication.

Commenting on the Java vulnerabilities, Rapid7’s Barrett reminded how Java exploits lead to the compromise of both Facebook and Bit9 recently, and warned that Java-based threats are not likely to subside anytime soon.

“Administrators and end users alike have to realize that the common wisdom regarding Java plugin security and precautions will not change with this patch, the next one, or the one after that. Java as a web plugin has a lot of unpatched issues, many of which are found and disclosed to Oracle by responsible researchers who are essentially doing Oracle’s Quality Assurance work for free on an ongoing basis,” Barrett said.

“We don’t know how many vulnerabilities the ‘bad guys’ are finding though, until they hit the common market in widespread exploits,” he added. “It’s doubtful that skilled and motivated attackers won’t find the same things as more ethical researchers. And some may well have more resources available to them to look.”

According to Wade Williamson, Senior Security Analyst at Palo Alto Networks, dealing with Java vulnerabilities requires a layered approach.

“The first step is for an organization to understand precisely where and why Java is needed,” Williamson wrote in a recent SecurityWeek column. “Based on the rate of newly discovered vulnerabilities, security teams should assume that Java is and will continue to be vulnerable.” Both Williamson and Barrett, along with just about every security expert, suggest that whenever possible, Java should be disabled in order to reduce risk.

“For many enterprises the rewards of Java have considerably diminished over the years, while the risks are growing exponentially,” Williamson said. “So many organizations will need to take a long, hard look at Java and answer for themselves if it’s worth it.”

Due to the threat posed by a successful attack, Oracle is strongly recommending that organizations apply the security fixes as soon as possible.

“Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,” Oracle advised. “For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”

Related ResourceAre Your Applications Secure? Test Your Code For Free

Related Reading: The Unique Challenges of Controlling Java Exploits

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.