Feeds

Oracle drops shedload of CRITICAL vuln-busting Java patches

Sysadmins, look away - Oracle's biz suites have more holes than a Swiss cheese

The essential guide to IT transformation

Oracle's autumn batch of quarterly updates included no fewer than 127 security fixes, including 51 for Java alone.

The arrival of the Critical Patch Update (CPU) from Oracle means pretty much all of the enterprise server packages from the software giant need patching.

Oracle Database Server, Oracle E-Business Suite, Oracle PeopleSoft Products, Oracle Siebel CRM, Oracle and Sun Systems Products Suite, Oracle Virtualization and Oracle MySQL all need security fixes for one reason or another. Many of the patched vulns allow attackers to gain remote unauthenticated access to marks' networks.

The October update marks the first occasion Oracle has patched Java on the same quarterly cycle as other products, a move that makes sense and is arguably overdue – Java updates previously arrived on a four month cycle.

The numerous Java updates are the most serious and pressing of of the whole batch, according to security experts.

"The update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication," warns Wolfgang Kandek, CTO at cloud security firm Qualys in a blog post.

"The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments,” adds Kandek, “with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines."

Ross Barrett, senior manager of security engineering at vlun management biz Rapid7, said: "Aside from Java, it's mostly ho-hum, low impact stuff. There's a CVSS 8.5 vulnerability in MySQL's Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting."

Chester Wisniewski, a senior security advisor at Sophos Canada, notes that some of the Java updates rely on operating system vendor support rather than auto-updates, a factor that further complicates the update process.

"[The] 51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser," Wisniewski explains. "Worse yet, all but one are remotely exploitable without authentication."

Wisniewski repeats what's become standard advice from security vendors: Java can be useful elsewhere but it doesn't belong in the browser, where it presents by far the greatest security risk.

"If you don't need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn't belong in your browser," Wisniewski writes. "If you're not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions."

Kandek concurs with the advice that patching Java, moving to the latest version 7 where possible, ought to be the first order of business. Internet-facing servers and databases also need patching sooner rather than later, he adds.

"We recommend working in the following sequence: Java first, as it is the most attacked software in this release, then vulnerabilities on services that are exposed to the Internet, such as Weblogic, HTTP and others. Hopefully your databases are not directly exposed to the Internet, which should give you more time to bring them to the latest patch levels," Kandek advises. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?