In its final Critical Patch Update of 2014, Oracle Corp. provided fixes for 154 total vulnerabilities across 14 of the software giant's product lines; as usual, the most pressing updates involved the company's long-maligned Java Runtime Environment.
The software vendor, based in Redwood Shores, Calif., patched 25 vulnerabilities in its Java Platform Standard Edition (SE), with another nine Java Virtual Machine (VM) flaws mitigated as part of Oracle's database server patch. Among the 154 flaws addressed in the October 2014 Oracle CPU, only 12 were ranked as a 9.0 or higher according to the Common Vulnerability Scoring System (CVSS); 10 of those 12 were Java vulnerabilities.
A single Java vulnerability, CVE-2014-6513, was given the highest CVSS rating of 10.0, making it the most severe bug patched in this release. John Matthew Holt, CTO at Java security vendor Waratek Ltd., based in Dublin, Ireland, said the vulnerability could be exploited by an attacker tricking a user into loading a specially crafted image, corrupting the Java VM's memory in the process.
"[CVE-2014-6513] can be used to execute arbitrary injected code with the Java VM's privileges," said Holt. "In other words, this vulnerability can be used to achieve a complete compromise of the JVM, with full access to data and the execution state of the JVM."
Out of 25 Java SE vulnerabilities, Oracle noted that 22 could be remotely exploited by attackers without authentication. Chris Goettl, product manager at LANDesk Software Inc.'s Shavlik third-party patching business unit in St. Paul, Minn., said that number of severe Java vulnerabilities is actually trending down when compared to 2013 Oracle CPU releases, though the problem remains worrisome, especially when considering how many enterprises still haven't applied last year's patches.
David Litchfield, independent Oracle security researcher
"The number of companies that I have spoken to that are aware of the fact that Java is not being updated is also staggering," said Goettl. "There are off-the-shelf exploit kits available to take advantage of exploits that have been around for years. That is some pretty low-hanging fruit for a hacker."
While Java SE flaws continue to cause problems, Java-related issues are also mounting for Oracle Database. Oracle software security assurance director Eric Maurice said in a blog post that out of 31 vulnerabilities patched in Oracle Database this week, 28 were "related to features implemented using Java in the Database."
Poland-based vulnerability research firm Security Explorations took credit for discovering 20 of those Database security flaws, noting in a paper that a majority were due to an "insecure implementation" of the Java Reflection API, used by programs to examine and modify the behavior of applications running in the Java VM.
The company stated that the uncovered vulnerabilities actually violate Oracle's own secure coding standards, which specifies that a user needs a "CREATE PROCEDURE" privilege to define Java classes and resources in a target Oracle Database environment, and that a "LOADJAVA" tool requires "CREATE TABLE" privilege to load arbitrary classes into a database.
That information may be "true from a database point of view, but not necessarily from a Java VM execution engine perspective," said Security Explorations in its paper. "We verified that a user with a bare minimum CREATE SESSION database privilege can successfully 'load' and execute arbitrary user provided classes in Oracle Database server.
"A malicious user with a bare minimum privilege required to connect and login to Oracle Database (with "CREATE SESSION" privilege only) can successfully compromise the security of the software that according to [outgoing Oracle CEO Larry Ellison] 'hasn't been broken into for a couple of decades by anybody' and that is 'so secure, there are people that complain,'" added Security Explorations on its website.
Oracle leadership change unlikely to affect security
Notably, this CPU release marks the last one that the controversial Ellison will oversee as CEO. Ellison recently announced his decision to step down as chief executive of the company he co-founded and take the role of CTO.
Ellison first drew the ire of the security community in 2001, when he touted Oracle's products as "unbreakable" in a marketing campaign, despite the numerous security issues that have plagued Java and other Oracle software lines over the years. All the while Ellison has continued touting the vendor's security posture, going as far as to say that Oracle's database products "hadn't been broken into for a couple of decades by anybody" just after they played a part in the infamous PlayStation Network breach.
Still, experts remained doubtful that Ellison's decision to step down will have a large impact on the company's security processes, at least not yet.
Holt said that he remained hopeful that Oracle security will improve, though it is unlikely that this organizational reshuffle will have a material impact. Goettl said that Ellison's decision "doesn't change much," particularly as long-time CSO Mary Ann Davidson will continue in her role as overseer of the company's security initiatives.
David Litchfield, a renowned bug hunter and independent Oracle security researcher who has often been a thorn in Oracle's side, said that the change in leadership could bring new ideas to the table.
"Let's face it, when it comes to security, Oracle could do with some [fresh perspective] because what they've been doing hasn't worked out so well for them," said Litchfield. "Hopefully this will bring a sea change in their approach but, even if it did, I wouldn't expect to see the difference in their code quality for a few years yet. These things take time."
Still catching up on Oracle patches? Read our coverage of the July 2014 Oracle CPU.
January 2016 Oracle CPU fixes 248 security issues