Oracle on Tuesday released its quarterly Critical Patch Update (CPU) which addresses 127 vulnerabilities across many products, including 51 vulnerabilities in Java.
Of the 51 Java vulnerabilities addressed, 21 have a CVSS scores of at least 9, meaning an attacker could leverage the vulnerability to take over a system as the current user. More importantly, 12 vulnerabilities have a CVSS score of 10, which means and attacker could use these vulnerabilities to takeover a system remotely without requiring authentication.
According to Qualys CTO Wolfgang Kandek, many of the 76 other vulnerabilities addressed in Oracle’s other products allow for remote unauthenticated access for an attacker. Because of the increased risks associated remote attacks, Kandek encourages IT admins to prioritize these patches, particularly those relating to applications that are exposed to the Internet.
Kandek also provided the following priority list for the update:
• Oracle’s RDBMS has four updates this quarter, all being remotely exploitable. The XML parser vulnerability has the highest CVSS score of 6 (on a scale of 10). One mitigating factor is that Oracle databases are typically not exposed the Internet.
• Oracle’s MySQL database has eight new vulnerabilities addressed, with the highest score at 8.5 in the MySQL Monitoring component. All vulnerabilities that can be accessed through the network require authentication, though, including two that are remotely accessible and have a CVSS score of 6.8. MySQL is often found exposed to the Internet, even though this is not considered best practice. If you use MySQL in your organization, it makes sense to run a perimeter scan to collect information on all databases externally exposed.
• The Sun product family has 12 updates, with a high score of 6.9 in a SPARC server management module (ILOM). Usually access to these modules should be tightly controlled as they provide very powerful management functions such as power-on/off, etc., but we have seen just recently some research that shows that these interfaces often end up on the Internet. If you have Sun Solaris servers in your organization, review these patches and start with the machines on your perimeter and DMZ.
• Oracle’s Fusion Middleware has a total of 17 vulnerabilities, of which 12 are accessible remotely with a maximum CVSS score of 7.5. A good map of where you have Oracle Fusion Middleware products (such as the Identity Manager, GlassFish or Oracle Weblogic) installed is helpful, so that you can prioritize the patching process.
• Fusion also contains the Outside-In product that is used in Microsoft Exchange (and other software packages) for document viewing. Microsoft has addressed the vulnerabilities CVE-2013-2393, CVE-2013-3776 and CVE-2013-3781 in their August Patch Tuesday bulletin MS13-061, so we can expect the new vulnerabilities CVE-2013-5791 and CVE-2013-3624 to cause a new release of Exchange by Microsoft as well.
• Other product families with security updates include Peoplesoft, E-Business and Virtualization.
“The story here is that Oracle has synced up their Java patching with the rest of their patching cycle and, when it comes to vulnerabilities, Java always steals the show,” Ross Barrett, senior manager of security engineering at Rapid7, told SecurityWeek.
“Ideally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin,” Barrett suggested. “Otherwise, run Java in the most restricted mode and only allow signed applets from whitelisted sites to run.”
Barrett also suggested that users take advantage of all the signing and execution restrictions offered by the latest plugin versions.
