Solaris, Java have vulns that let users run riot

What's big, red and has 308 patches, 30 of them critical? Oracle's quarterly patch dump

Oracle's emitted its quarterly patch dump. As usual it's a whopper, with 308 security fixes to consider.

Oracle uses the ten-point Common Vulnerability Scoring System Version 3.0, on which critical bugs score 9.0 or above. The Register counts 30 such bugs in this release.

Not all can be laid at Oracle's door. For example, a glibc glitch is hardly Oracle's fault. Nor are the Apache Tomcat and Struts bugs that MySQL users need to squash.

But a few others are Big Red boo-boos, such as CVE-2017-3632, a mess that means a remote user can exploit a flaw in the Solaris CDE Calendar component to gain elevated privileges. Lesser Solaris bugs allow DDOSing and unauthorised data alterations.

Java SE has 10 critical flaws, nine of them rated 9.6. Most allow remote users to do things you'd rather they couldn't. Oracle says 28 of 32 Java vulnerabilities “may be remotely exploitable without authentication”.

Oracle Retail Customer Insights and Oracle WebLogic also have critical vulns, the latter the only product to earn a perfect 10.0 severity rating for CVE-2017-10137 which allows a remote user to obtain elevated privileges.

We could go on and explore the other 278 patches rated 8.9 or lower, but by now you get the idea: there's something terrifying for almost every Oracle user because even a bug rated a wimpy 5.3, such as CVE-2017-10244 discovered by Onapsis, means “attackers to exfiltrate sensitive business data without requiring a valid user account” in Oracle E-Business suite.

Next steps? View Oracle's list here then use your Oracle login to get more details here before figuring out what can be fixed now, what can wait for your next scheduled change window and what needs a new change window scheduled ASAP. ®


Biting the hand that feeds IT © 1998–2017