Oracle issued a massive update today to patch 88 security vulnerabilities, including dozens of remote code execution issues that can be exploited without user authentication.
The largest number of fixes was for Oracle’s Financial Services Software, with a total of 17 patches. The Oracle Sun products suite contains 15 patches, including five that are remotely exploitable without authentication. Among the Sun products, the most serious of the bugs is a vulnerability in the Oracle Grid Engine that scored a 9.0 out of a possible in 10 on the CVSS 2.0 scoring system. The most critical bug overall belonged to JRockit, Oracle’s proprietary Java Virtual Machine, which scored a 10 on the CVSS scale.
“JRockit has been free since May 2011 and it is unclear how many organizations this will affect,” said Marcus Carey, security researcher at Rapid7. “JRockit is considered middleware, which means it operates on servers to run Java applications. This remote code execution vulnerability requires no authentication and is rated as a low level attack vector. The low attack vector rating means that it would be easy to exploit over a network or Internet. This exploit will result in total compromise of the confidentiality, integrity, and availability of a victim’s system.”
“IT security teams should warm up their coffee pots and espresso machines for today’s massive Oracle patch; they will be facing a long day and an even longer night,” said Lamar Bailey, director of security research at nCircle. “Oracle is releasing 88 patches, and a whopping 37 percent of them are remotely executable. Even worse, many of these don’t require login credentials.”
There were also 15 fixes for the Oracle PeopleSoft product suite; two for Oracle Industry applications; six for MySQL; one for the Oracle Primerva products suite; five for the Oracle Supply Chain products suite; four for the Oracle E-Business suite; six for Oracle Enterprise Manager Grid Control suite; and 11 for Oracle Fusion Middleware. There were also six patches for the Oracle Database software.
No Java update is on the menu in this release, as Oracle releases those updates on a separate schedule. Java vulnerabilities have been in the news lately due to well publicized attack campaigns such as the resurgence of the Mac OS X Flashback Trojan. The vulnerability targeted in that attack was closed by Oracle in February.
Qualys CTO Wolfgang Kandek called the release a “large update for Oracle software users,” and recommended addressing vulnerabilities on systems that are Internet accessible first.
“Most likely this will mean fixing Glassfish/iPlanet and Solaris vulnerabilities first, followed by MySQL,” he blogged. “Oracle RDBMS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all.”