Feeds

Oracle drops shedload of CRITICAL vuln-busting Java patches

Sysadmins, look away - Oracle's biz suites have more holes than a Swiss cheese

High performance access to file storage

Oracle's autumn batch of quarterly updates included no fewer than 127 security fixes, including 51 for Java alone.

The arrival of the Critical Patch Update (CPU) from Oracle means pretty much all of the enterprise server packages from the software giant need patching.

Oracle Database Server, Oracle E-Business Suite, Oracle PeopleSoft Products, Oracle Siebel CRM, Oracle and Sun Systems Products Suite, Oracle Virtualization and Oracle MySQL all need security fixes for one reason or another. Many of the patched vulns allow attackers to gain remote unauthenticated access to marks' networks.

The October update marks the first occasion Oracle has patched Java on the same quarterly cycle as other products, a move that makes sense and is arguably overdue – Java updates previously arrived on a four month cycle.

The numerous Java updates are the most serious and pressing of of the whole batch, according to security experts.

"The update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication," warns Wolfgang Kandek, CTO at cloud security firm Qualys in a blog post.

"The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments,” adds Kandek, “with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines."

Ross Barrett, senior manager of security engineering at vlun management biz Rapid7, said: "Aside from Java, it's mostly ho-hum, low impact stuff. There's a CVSS 8.5 vulnerability in MySQL's Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting."

Chester Wisniewski, a senior security advisor at Sophos Canada, notes that some of the Java updates rely on operating system vendor support rather than auto-updates, a factor that further complicates the update process.

"[The] 51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser," Wisniewski explains. "Worse yet, all but one are remotely exploitable without authentication."

Wisniewski repeats what's become standard advice from security vendors: Java can be useful elsewhere but it doesn't belong in the browser, where it presents by far the greatest security risk.

"If you don't need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn't belong in your browser," Wisniewski writes. "If you're not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions."

Kandek concurs with the advice that patching Java, moving to the latest version 7 where possible, ought to be the first order of business. Internet-facing servers and databases also need patching sooner rather than later, he adds.

"We recommend working in the following sequence: Java first, as it is the most attacked software in this release, then vulnerabilities on services that are exposed to the Internet, such as Weblogic, HTTP and others. Hopefully your databases are not directly exposed to the Internet, which should give you more time to bring them to the latest patch levels," Kandek advises. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.