Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle’s October 2013 CPU: 127 Vulnerabilities Fixed, 51 Were in Java.

Oracle on Tuesday released its quarterly Critical Patch Update (CPU) which addresses 127 vulnerabilities across many products, including 51 vulnerabilities in Java.

Oracle on Tuesday released its quarterly Critical Patch Update (CPU) which addresses 127 vulnerabilities across many products, including 51 vulnerabilities in Java.

Of the 51 Java vulnerabilities addressed, 21 have a CVSS scores of at least 9, meaning an attacker could leverage the vulnerability to take over a system as the current user. More importantly, 12 vulnerabilities have a CVSS score of 10, which means and attacker could use these vulnerabilities to takeover a system remotely without requiring authentication.

According to Qualys CTO Wolfgang Kandek, many of the 76 other vulnerabilities addressed in Oracle’s other products allow for remote unauthenticated access for an attacker. Because of the increased risks associated remote attacks, Kandek encourages IT admins to prioritize these patches, particularly those relating to applications that are exposed to the Internet. 

Kandek also provided the following priority list for the update:

• Oracle’s RDBMS has four updates this quarter, all being remotely exploitable. The XML parser vulnerability has the highest CVSS score of 6 (on a scale of 10). One mitigating factor is that Oracle databases are typically not exposed the Internet.

• Oracle’s MySQL database has eight new vulnerabilities addressed, with the highest score at 8.5 in the MySQL Monitoring component. All vulnerabilities that can be accessed through the network require authentication, though, including two that are remotely accessible and have a CVSS score of 6.8. MySQL is often found exposed to the Internet, even though this is not considered best practice. If you use MySQL in your organization, it makes sense to run a perimeter scan to collect information on all databases externally exposed.

• The Sun product family has 12 updates, with a high score of 6.9 in a SPARC server management module (ILOM). Usually access to these modules should be tightly controlled as they provide very powerful management functions such as power-on/off, etc., but we have seen just recently some research that shows that these interfaces often end up on the Internet. If you have Sun Solaris servers in your organization, review these patches and start with the machines on your perimeter and DMZ.

• Oracle’s Fusion Middleware has a total of 17 vulnerabilities, of which 12 are accessible remotely with a maximum CVSS score of 7.5. A good map of where you have Oracle Fusion Middleware products (such as the Identity Manager, GlassFish or Oracle Weblogic) installed is helpful, so that you can prioritize the patching process.

• Fusion also contains the Outside-In product that is used in Microsoft Exchange (and other software packages) for document viewing. Microsoft has addressed the vulnerabilities CVE-2013-2393, CVE-2013-3776 and CVE-2013-3781 in their August Patch Tuesday bulletin MS13-061, so we can expect the new vulnerabilities CVE-2013-5791 and CVE-2013-3624 to cause a new release of Exchange by Microsoft as well.

• Other product families with security updates include Peoplesoft, E-Business and Virtualization.

“The story here is that Oracle has synced up their Java patching with the rest of their patching cycle and, when it comes to vulnerabilities, Java always steals the show,” Ross Barrett, senior manager of security engineering at Rapid7, told SecurityWeek.

“Ideally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin,” Barrett suggested. “Otherwise, run Java in the most restricted mode and only allow signed applets from whitelisted sites to run.”

Barrett also suggested that users take advantage of all the signing and execution restrictions offered by the latest plugin versions.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.