Oracle’s final Critical Patch Update (CPU) for 2018 is now available, patching 301 vulnerabilities spread across Oracle’s product portfolio.
Of the 301 vulnerabilities, 49 are rated with a CVSS (Common Vulnerabilities Security Scoring) score of 9.0 or higher, with only a single issue garnering the top severity rating of 10.0 The October CPU became generally available on Oct.16 and includes patches for both first-party and third-party components that Oracle develops and ships in its products.
“As with previous Critical Patch Update releases, a significant proportion of the patches is for third-party components (non-Oracle CVEs, including open source components),” Eric Maurice, director of security assurance at Oracle, wrote in a blog post.
While 301 flaws is a large number, it is actually fewer than the 334 that Oracle patched in the last CPU that it released on July 18. Looking at the most severe flaw across the 301, the single CVSS 10.0 was given to the CVE-2018-2913 flaw in Oracle’s GoldenGate software.
“Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle GoldenGate,” the NIST National Vulnerability Database (NVD) advisory states. “While the vulnerability is in Oracle GoldenGate, attacks may significantly impact additional products.”
The GoldenGate flaw was one of three that security researchers working at Tenable discovered. In a research note detailing the CVE-2018-2913 flaw, Tenable referred to the issue as an unauthenticated remote stack buffer overflow condition.
“A stack buffer overflow can occur if an unauthenticated remote attacker provides a malformed command,” Tenable stated in its advisory. “An attacker can trigger the condition by simply sending a long command.”
Looking specifically at the Java-related flaws in the October CPU, there are 12 Java SE flaws, 11 of which are remotely exploitable without user authentication. The WebLogic Java application server is being patched for 12 issues, with eight being remotely exploitable without user authentication.
Some of the Java issues are related to deserialization risks, which have been an ongoing concern for several years.
“I do not believe [Java deserialization] is a design flaw as such as issues with additional development steps required to harden and hide Java objects,” Joseph Kucic, chief security officer at Cavirin, told eWEEK. “Obviously, this is avoided by moving to use a safe and standard data interchange format such as JSON.”
Apostolos Giannakidis, security architect at Waratek, told eWEEK that Oracle did a lot of cleanup work in the October CPU, fixing flaws that went back to 2014. The Java-issued patches by Oracle largely impact Java 8 and prior releases and not the newer updates. Java 11 was released on Sept. 25 as the second major update for Java in 2018.
“Oracle, like all software vendors, relies largely on users and third-party researchers to report flaws and potential fixes,” Giannakidis said. “Utilization is relatively low for Java 9 and 10, which translates into fewer users available to report flaws.”
Oracle’s namesake database is only getting three security fixes as part of the October CPU, two of them being remotely exploitable without the need for any user credentials.
The MySQL database is getting patched for 38 security issues, with only three being remotely exploitable without authentication. Of the three, the CVE-2018-11776 issue in MySQL Enterprise Monitor is the most critical, with a CVSS score of 9.8. The flaw is derived from the Apache Struts component used in the Monitor tool.
“The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise MySQL Enterprise Monitor,” the advisory warns. “Successful attacks of this vulnerability can result in the takeover of MySQL Enterprise Monitor.”
One of the single largest sets of vulnerabilities in the October CPU is in the Oracle Fusion Middleware portfolio, which is getting 65 new security fixes. Oracle’s E-Business Suite is being patched for 16 issues.
Overall, it’s not clear if security got better or worse for Oracle over the course of 2018, according to Matias Mevied, Oracle security specialist at Onapsis.
“Analyzing the number of vulnerabilities from 2015 to 2018, there are some indicators that Oracle is fixing almost double the [number of] vulnerabilities in 2018 than 2015, with 613 vulnerabilities fixed in 2015 and 1,128 in 2018,” Mevied told eWEEK. “This can happen for different reasons: Oracle is improving its security, patching more vulnerabilities; Oracle incorporates more products; there are more researchers reporting vulnerabilities; and also it could be that the Oracle applications are more vulnerable, but we don’t think this is the most relevant or probable issue.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.