The new year is starting off with a bang for Oracle, at least in terms of security updates. In sharp contrast to Microsoft, which today released just four security bulletins, Oracle fixed a staggering 144 new vulnerabilities spread across its software portfolio as part of its quarterly Critical Patch Update (CPU).
At the top of the list with the most fixed vulnerabilities and widespread impact are 36 security fixes for Oracle’s Java. Oracle first began to include Java security fixes as part of its main CPU release in October of 2013. At that time, Oracle fixed a total of 127 vulnerabilities, with Java accounting for 51 of them.
With the January crop of Java vulnerabilities, 34 of the 36 flaws are remotely exploitable without user authentication, making them among the most dangerous types of software flaws. Going a step further, Oracle has ranked five of the new Java vulnerabilities as having the highest possible Common Vulnerability Scoring System (CVSS) score of 10.
Java is among the most attacked and the most patched piece of software in use today. Multiple vendors, including Hewlett-Packard and Kaspersky Lab, reported a surge in Java attacks during 2013. According to Kaspersky, between March and August of 2013, there were at least 8.54 million Java exploit attacks. Brian Gorenc, manager of the Zero Day Initiative at Hewlett-Packard Security Research, spoke at length about Java exploits during a Black Hat USA 2013 session. While Java zero-day exploits are responsible for some attacks, the majority are attacks against vulnerabilities that Oracle has already patched in a public update, though users have not yet updated their own systems.
“Unfortunately, with Java being an enterprise platform, there are many software vendors that only support the older (exploitable) versions of Java,” Tommy Chin, technical support engineer at Core Security, told eWEEK. “Companies who own and depend of this type of software are locked down from upgrading because the upgrade will break their existing production Java application.”
Chin suggests that for those who can’t upgrade, they should make sure access control lists are highly audited and access to the Java applications are internal facing and only exposed via virtual private networks (VPNs).
In addition to Java, Oracle’s Fusion Middleware Suite is being patched for multiple vulnerabilities. In total, Oracle is patching 22 security flaws in Fusion, of which 19 are remotely exploitable without user authentication and only a single flaw carries a CVSS score of 10.
The Oracle and Sun Systems products suite, which includes the Solaris Unix operating system, is receiving 11 patches, with only one of them being remotely exploitable. Oracle now separately breaks out fixes for the MySQL database, which came to Oracle by way of its acquisition of Sun in 2010. MySQL is being fixed for 18 security vulnerabilities, with only one receiving the highest CVSS score of 10.
In contrast to MySQL, Oracle’s namesake database is only receiving five security fixes, and only one of the flaws is remotely exploitable without user authentication.
While the Java updates have a high priority, so too do the other fixes, Ken Pickering, director of engineering at Core Security, told eWEEK.
“The truth is many Oracle products are in a lot of places, holding or standing in front of a lot of critical data,” Pickering said. “It’s imperative to keep these particular applications up to date, since many of them are business-critical.”
Pickering added that the fact that the Oracle applications are business critical deployments, typically makes it even more difficult to perform maintenance on them.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
