Oracle's quarterly Critical Patch Update took aim at vulnerabilities uncovered in The Shadow Brokers' cyberweapons...
dump and flaws used in Apache Struts exploits in the wild.
In total, the April 2017 Oracle Critical Patch Update (CPU) addressed 299 vulnerabilities across a number of Oracle platforms, but experts said the focus should be on the fixes for Solaris 10 and Apache Struts exploits.
The Apache Struts exploits surfaced over the past month after Oracle's first patch failed to fix the issue and instead served to highlight the flaw for malicious actors. In the latest CPU, Oracle delivered patches for 25 instances where the Apache Struts exploits could be put to use against software popular in the financial sector.
Kunal Anand, co-founder and CTO at Prevoty, applauded Oracle's thoroughness in patching the vulnerabilities used in the Apache Struts exploits.
"I think Oracle is doing the responsible thing by patching the Struts 2 vulnerability across its applications -- while many of these vulnerable applications are internally facing and not typically exposed beyond the firewall, it's just the right thing to do," Anand told SearchSecurity. "Struts 2 happens to be a popular framework used by Oracle for developing applications; the number of applications affected shouldn't surprise or shock anyone."
Amol Sarwate, director of vulnerability labs at Qualys Inc., said that "in a perfect world the Struts team should have fixed both the exploit vectors and released just one patch," but praised Oracle for its "thorough investigation of all its product lines" to deliver these patches.
John Bambenekthreat research manager, Fidelis Cybersecurity
"Struts is a popular framework, particularly with the financial services organizations like banks and insurance companies, and it's not strange that there were this many instances across the entire Oracle product portfolio that needed patching," Sarwate told SearchSecurity. "Oracle financial service applications like Financial Services Analytical Applications, Asset Liability Management, Financial Performance Analytics, Basel Regulatory Capital Basic, Funds Transfer Pricing, Liquidity Risk Management and many other components contributed to the 25 instances of Struts."
John Bambenek, threat research manager at Fidelis Cybersecurity based in Bethesda, Md., said Oracle's response to the Apache Struts exploits is only one side of the story.
"Enterprises know the clock is ticking, and prioritization will keep them one step ahead of attackers. A majority of these patches cover remote code execution vulnerabilities and enterprises should always put these first," Bambenek told SearchSecurity. "Any system that is internet-facing also should get all the patches immediately as they are already under attack now."
Equation Group exploits and other Oracle patches
There were actually two vulnerabilities found in that cyberweapons dump, but one -- EBBISLAND -- had been patched in 2012 in Solaris 10 Update 11. However, the EXTREMEPARR exploit was unpatched until now and experts said the flaw could have been used as part of dangerous attacks.
Derek Abdine, director of Rapid7 Labs, said the vulnerability "appears to affect versions of Solaris dating back to 1998."
"EXTREMEPARR is a local privilege elevation exploit that allows a logged-in user to elevate to an administrative level. When combined with misconfigurations, weak passwords or other remote exploits on the Solaris server, it can be used to take complete control over the box," Abdine told SearchSecurity. "So alone, [it's] moderately dangerous, but when coupled with other attacks, extremely dangerous."
Bambenek agreed that the danger of the EXTREMEPARR exploit was lessened due to its nature.
"The general case for this vulnerability is privilege escalation which would require the ability to be running code on the target machine in the first place," Bambenek said. "It is certainly significant, but for most environments, these devices would not be internet-facing so the attacker would have to get there first."
Bobby Kuzma, system engineer for cybersecurity company Core Security in Roswell, Ga., said enterprises should still be careful.
"EXTREMEPARR doesn't set my hair on fire like some of the recently revealed SMB vulnerabilities. It's a local root escalation exploit. You have to already have access to the box to run it," Kuzma told SearchSecurity. "That being said, there's an awful lot of internal web applications with dubious input sanitization that are sitting on top of Solaris."
Of the remaining 297 vulnerabilities patched as part of the April CPU, Sarwate suggested enterprises be aware that there are "162 remotely exploitable vulnerabilities that could be used in an attack without the need for any credentials."
Cris Thomas, strategist at Tenable, said a release of patches this size will pose a challenge for affected organizations in "determining which assets in their IT environments need patching and then, prioritizing which ones to patch first."
"Several of the fixes address bugs that have recently received widespread publicity as part of the latest Shadow Brokers data dump," Thomas said. "As a result, attackers have already started leveraging these exploits. Organizations that don't have a full understanding of the assets and vulnerabilities on their network, or that lack a strong patch management program will struggle to get these patches applied in a timely manner."
Learn more about Oracle's cloud-based HR software and financial management tools.
Find out what organizations need to know about automated patching.
Get info on Oracle's APAC cloud strategy.