Oracle's April 2016 Critical Patch Update addresses 136 vulnerabilities in a number of products, but the biggest...
change is in switching to the Common Vulnerability Scoring System version 3.0, or CVSSv3, which should more accurately reflect the impact of flaws.
Oracle noted in its patch advisory that the vulnerabilities in this Critical Patch Update are scored using both versions 3.0 and 2.0 of the Common Vulnerability Scoring System, but future CPUs and security alerts will be scored using only CVSS 3.0.
Tyler Reguly, manager of the Vulnerability and Exposure Research Team (VERT) at Tripwire, said the move to CVSS 3.0 may be the only silver lining in this month's Oracle patches.
“With the Oracle CPU, there's always the difficulty of digging through the massive amounts of data presented with limited consideration of readability," Reguly said. "While it may not be perfect, CVSSv3 does have some improvements over CVSSv2, which makes the scoring more useful in patch prioritization.
"Additionally, Oracle never really used CVSSv2, instead utilizing its own modified version of CVSSv2 that made correlation against other data sources more difficult," he continued. "Unfortunately, CVSSv3 has yet to see widespread adoption, and many vendors and data sources that promised CVSSv3 support have failed to deliver thus far, limiting the usefulness of CVSSv3 in correlating vulnerability information."
Reguly added, "For anyone patching today, a great first step is to know the Oracle products in your environment -- sometimes we forget just how many there are -- and to identify them in the CPU. After you've found the CVEs [Common Vulnerabilities and Exposures] that are resolved by this month's patch drop, aim to resolve anything with a CVSS score greater than a 9.0 before moving down to those scoring greater than a 7.0. In this case, CVSS scores make for the best prioritization metric."
The Oracle patches now available cover a number of products, including Fusion Middleware, PeopleSoft, Solaris, VM VirtualBox, MySQL and Java. The move to CVSS 3.0 is noticeable in that the number of Oracle patches that are considered critical based on their CVSS 3.0 score is 17, compared to nine based on CVSS 2.0, while 25 flaws are rated as high severity using CVSS 3.0, compared to only 12 using CVSS 2.0.
Per CVSS 3.0, the most critical vulnerabilities were found in Oracle Fusion Middleware (seven vulnerabilities rated 9.8); one Solaris vulnerability rated 9.8; two MySQL had two flaws rated 9.8; and three Java SE flaws were rated 9.6. Flaws in Java SE, Java VM, Oracle Field Service and Oracle FLEXCUBE also rated 9.0 or higher.
Lane Thames, security researcher from VERT at Tripwire, said Java should be on the priority list because of its widespread usage and the fact that attackers often focus on developing exploits for new Java vulnerabilities.
Thames also noted that there might be some confusion related to CVE-2016-0636, a vulnerability that was addressed by an Oracle Security Alert in March.
"An out-of-band Java patch was released for CVE-2016-0636 due to public disclosure of technical details of the vulnerability," Thames said. "This vulnerability is not listed in the April CPU, but patch levels of affected versions are the same. The question some might have is whether this latest CPU contains the code fix for CVE-2016-0636."
Outside of concerns related to CVE-2016-0636, Thames said, "Administrators should observe that the CPU fixes several critical vulnerabilities that can impact both server and client installations and can potentially be exploited remotely over the network without authentication.
"Administrators should also take note that a given host may contain multiple installations of Java. Similarly, various applications embed their own copies of Java. Because of this, enterprise IT shops today face a complex patching environment for Java," Thames said. "Outside of Java, I recommend focusing on server-side patches, with Internet-facing services having the highest priority. The only exception to this rule happens when known exploits are available. I am not aware of any known exploits for the related vulnerabilities."
Learn about the benefits of a vulnerability scoring system.
Find out why experts say Oracle patches need to be faster.