Oracle drops shedload of CRITICAL vuln-busting Java patches

Sysadmins, look away - Oracle's biz suites have more holes than a Swiss cheese


Oracle's autumn batch of quarterly updates included no fewer than 127 security fixes, including 51 for Java alone.

The arrival of the Critical Patch Update (CPU) from Oracle means pretty much all of the enterprise server packages from the software giant need patching.

Oracle Database Server, Oracle E-Business Suite, Oracle PeopleSoft Products, Oracle Siebel CRM, Oracle and Sun Systems Products Suite, Oracle Virtualization and Oracle MySQL all need security fixes for one reason or another. Many of the patched vulns allow attackers to gain remote unauthenticated access to marks' networks.

The October update marks the first occasion Oracle has patched Java on the same quarterly cycle as other products, a move that makes sense and is arguably overdue – Java updates previously arrived on a four month cycle.

The numerous Java updates are the most serious and pressing of of the whole batch, according to security experts.

"The update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication," warns Wolfgang Kandek, CTO at cloud security firm Qualys in a blog post.

"The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments,” adds Kandek, “with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines."

Ross Barrett, senior manager of security engineering at vlun management biz Rapid7, said: "Aside from Java, it's mostly ho-hum, low impact stuff. There's a CVSS 8.5 vulnerability in MySQL's Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting."

Chester Wisniewski, a senior security advisor at Sophos Canada, notes that some of the Java updates rely on operating system vendor support rather than auto-updates, a factor that further complicates the update process.

"[The] 51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser," Wisniewski explains. "Worse yet, all but one are remotely exploitable without authentication."

Wisniewski repeats what's become standard advice from security vendors: Java can be useful elsewhere but it doesn't belong in the browser, where it presents by far the greatest security risk.

"If you don't need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn't belong in your browser," Wisniewski writes. "If you're not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions."

Kandek concurs with the advice that patching Java, moving to the latest version 7 where possible, ought to be the first order of business. Internet-facing servers and databases also need patching sooner rather than later, he adds.

"We recommend working in the following sequence: Java first, as it is the most attacked software in this release, then vulnerabilities on services that are exposed to the Internet, such as Weblogic, HTTP and others. Hopefully your databases are not directly exposed to the Internet, which should give you more time to bring them to the latest patch levels," Kandek advises. ®


Other stories you might like

  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading
  • How these crooks backdoor online shops and siphon victims' credit card info
    FBI and co blow lid off latest PHP tampering scam

    The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

    It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

    As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

    Continue reading

Biting the hand that feeds IT © 1998–2022