Oracle released its latest quarterly Critical Patch Update on April 17, fixing 297 vulnerabilities spread across its software portfolio.
The vulnerabilities patched in the update vary in severity, with 53 of the flaws getting a Common Vulnerabilities Scoring System (CVSS) score of 9.0 or more, denoting the most critical issues. Not all of the vulnerabilities in the patch set are entirely new either, with one being a 3-year-old flaw in a Java library that is only now making its way into patches for affected products. The need to patch flaws both old and new is one that Oracle and security experts alike regularly emphasize.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” Oracle stated in its advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.”
Among the most well-known instances of an unpatched issue leading to exploitation is the 2017 breach of Equifax, in which the Apache Struts component, which is part of multiple Oracle applications, was not patched. Somewhat coincidentally, among the most impactful flaws patched in the new April CPU is one belonging to a similar bug class as the flaw that impacted Equifax.
Java Deserialization Flaw Patched in 19 Products
Among the most noteworthy aspects of the April CPU is the CVE-2016-1000031 Java flaw that is being patched across 19 Oracle products. CVE-2016-1000031 is a 3-year-old Java deserialization vulnerability found in the Apache Commons FileUpload library that is used across multiple Oracle applications.
“The vulnerability exists in the DiskFileItem component that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary directories,” Apostolos Giannakidis, security architect at Waratek, told eWEEK. “Remote attackers could exploit this vulnerability to take complete control of the affected systems.”
The issue of deserialization of untrusted data is a highly critical class of vulnerability and in fact is the same type of vulnerability that attackers exploited (CVE-2017-5638) in the Equifax breach.
As to why Oracle is now fixing the issue, three years after it was first identified, there are multiple possibilities. Giannakidis explained that fixing deserialization vulnerabilities can be very difficult in many cases as it might require the introduction of a low-level security mechanism that performs a type of or even a partial redesign of the application in the worst case. Making low-level changes to the serialization mechanism of application is error prone and can have ripple effects that could break normal application functionality.
“Effectively, this causes patching to be deferred for very long periods of time, which gives ample time for the attackers to identify and compromise vulnerable systems,” he said.
Giannakidis added that in the last few Oracle security updates he has seen Oracle starting to take security hygiene more seriously. However, there are still large delays in patching vulnerable dependencies.
“Java deserialization vulnerabilities are still plaguing Oracle’s application stack even 3-4 years after the vulnerabilities were originally reported,” he said. “Popular enterprise applications that have millions of deployments around the world, such as Oracle Banking Platform, Oracle Fusion Middleware, Primavera, Oracle Siebel CRM, etc., are still getting patched against this dreadful vulnerability.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.