Oracle has released its January Critical Patch Update, fixing 237 vulnerabilities across the company’s product portfolio. The update, released on Jan. 16, comes as cryptocurrency miner attackers take aim at vulnerabilities that Oracle patched in its October 2017 CPU.
The January 2018 CPU addresses myriad security vulnerabilities, including ones affecting database, middleware, Java, PeopleSoft, Siebel and E-Business Suite applications. Of particular note, Oracle’s January CPU includes patches for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) processor vulnerabilities that were disclosed on Jan. 3.
Other issues patched by Oracle in the January CPU include a pair of critical vulnerabilities (CVE-2018-2655 and CVE-2018-2656) in the Oracle E-Business Suite (EBS) that were reported by security firm Onapsis. The EBS flaws are remotely exploitable without the need for user authentication. According to Onapsis, an attacker could execute an arbitrary query in the database to get or modify private information.
“We discovered these bugs doing research during a security assessment in one of our customers,” Sebastian Bortnik, head of research at Onapsis, told eWEEK. “We reported the vulnerabilities in mid-2017.”
Onapsis also reported that a previously patched EBS flaw is vulnerable to a cryptocurrency miner exploit that has already been attacking PeopleSoft deployments. On Jan. 8, ISC SANS reported that attackers were exploiting the CVE-2017-10271 vulnerability, which enables unauthenticated access to a WebLogic Server. According to ISC SANS, the attackers were able to get a cryptocurrency miner running on PeopleSoft servers, which include WebLogic, to mine approximately $250,000 in Monero cryptocurrency. Bortnik noted that the CVE-2017-10271 vulnerability was patched in October 2017.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” Oracle warned in its January CPU advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.”
According to Bortnik, it’s also possible that flaws that were patched in the January CPU could be also used for unauthorized cryptocurrency mining attacks. Any bug that enables code execution could be potentially used in a cryptocurrency miner attack, he said. Cryptocurrency attacks against Oracle applications are relatively uncommon and are a new phenomenon, Bortnik added.
“Attacks against business-critical applications are usually more targeted attacks and less frequent than attacks that make the press,” Bortnik said. “We have worked in the past with companies that have suffered an attack but still haven’t seen one affected to date with cryptocurrency.”
Java
As part of the January CPU, Oracle also patched 21 security vulnerabilities in Java, of which 18 are remotely exploitable without authentication.
Among the remotely exploitable issues are a pair of deserialization flaws that were discovered by security firm Waratek. Serialization is the process by which a data object is converted from an object to a series of bytes that can be stored and communicated.
“Waratek researched the JRE (Java Runtime Environment) codebase and has identified two new unbounded memory allocation vulnerabilities in two JRE subcomponents that may be remotely exploitable without authentication,” Waratek stated in an advisory released Jan. 18.
Waratek noted that Oracle has patched Java serialization methods for multiple vulnerabilities over the course of 2017 and introduced a new serialization filtering mechanism to help mitigate risks.
“Oracle has tried to address deserialization, which is notoriously difficult to address, over the past year,” James Lee, executive vice president at Waratek, told eWEEK. “It has remained difficult to fix, and this CPU proves that deserialization remains a serious issue.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.