Oracle Corp.'s third quarterly Critical Patch Update of 2014 delivered fixes for a total 113 vulnerabilities across 13 of its product lines, including patches for a number of serious Java vulnerabilities that highlight the security risk of running Oracle's long-maligned software runtime environment.
Among the 20 Java flaws resolved by the Redwood Shores, California-based software vendor, eight were ranked as a 9.3 or above, according to the Common Vulnerability Scoring System (CVSS). A single Java vulnerability, CVE-2014-4227, was given the highest rating of 10.0, making it the most severe bug patched in the July 2014 Oracle CPU.
All 20 Java vulnerabilities could also be exploited remotely without any form of authentication, a notable finding for Chris Goettl, product manager at St. Paul, Minnesota-based third-party patching vendor Shavlik Technologies, who said that only the difficulty of exploiting some of the Java flaws held their respective CVSS scores down. The same held true for approximately two-thirds of the vulnerabilities patched in this Oracle CPU, noted a concerned Goettl, though he added that future patch releases will need to be monitored to determine if this is a persistent problem for Oracle.
Even low-scoring vulnerabilities could cause damage to an organization, said Goettl, because modern attackers will typically exploit multiple flaws to infiltrate and move within an enterprise environment.
"If you're talking about a hacker like [those that attacked] Target, every step of the way they're exploiting something slightly different to" achieve their goal, said Goettl. He also cited statistics from Cisco Systems Inc.'s 2014 Annual Security Report -- specifically that Java was involved in 91% of Web exploits and a majority of those incidents involved outdated versions of Oracle's software -- to reiterate the need for all organizations still reliant on Java within their environments to apply the latest patches.
Java updates for XP to continue
Beyond addressing a number of Java security problems, Oracle also moved to clarify a decision the company made last week in relation to its ongoing Java support for the unsupported Windows XP platform.
Despite some security industry observers misconstruing the company's decision to not supply XP users with Java 8, the latest version of the software, updates for previously supported versions will continue to be delivered until at least April 2015, said Henrik Stahl, vice president of product management for Oracle's Java Platform Group. Oracle is open to continuing support past that date, he added, if XP usage demands it.
"We expect that [Java Development Kit] 7 will continue to work on Windows XP. Security updates issued by Oracle will continue to be pushed out to Windows XP desktops," said Stahl in a blog post. "The important point here is that we can no longer provide complete guarantees for Java on Windows XP, since the OS is no longer being updated by Microsoft. We strongly recommend that users upgrade to a newer version of Windows that is still supported by Microsoft in order to maintain a stable and secure environment."
While applying the Java fixes should be the priority for most organizations, Wolfgang Kandek, CTO at Redwood Shores, California-based vulnerability management vendor Qualys Inc., said in a blog post that organizations shouldn't delay implementing the 10 MySQL vulnerabilities that Oracle patched, including one Heartbleed-related bug, CVE-2014-0160.
"The highest score is CVSS 6.5, indicating network-accessible vulnerabilities that require authentication, i.e., a username and password to log into the database," said Kandek. "We frequently see MySQL databases connected directly to the Internet, [and] Shodan lists almost four million entries for the MySQL port 3306 that are not firewalled, so we recommend fast patching for these issues, especially if you are on that list of Internet-accessible IP addresses."
Another vulnerability in this Oracle CPU worth noting, according to a blog post by SANS Institute security researcher Daniel Wesemann, is CVE-2013-3751, an issue with the XML parser of Oracle Database that had originally been patched in version 11g in 2013. The vulnerability likely resurfaced in Oracle Database 12 though, said Wesemann, because its code was forked from Database 11g before it had been fixed.
"So, Oracle 12 remained exposed to the same bug until now," said Wesemann. "This speaks volumes about Oracle's software development life cycle and security processes."