Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Oracle Patches 301 Vulnerabilities in October Update

    By
    SEAN MICHAEL KERNER
    -
    October 18, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Oracle.sign

      Oracle’s final Critical Patch Update (CPU) for 2018 is now available, patching 301 vulnerabilities spread across Oracle’s product portfolio.

      Of the 301 vulnerabilities, 49 are rated with a CVSS (Common Vulnerabilities Security Scoring) score of 9.0 or higher, with only a single issue garnering the top severity rating of 10.0 The October CPU became generally available on Oct.16 and includes patches for both first-party and third-party components that Oracle develops and ships in its products.

      “As with previous Critical Patch Update releases, a significant proportion of the patches is for third-party components (non-Oracle CVEs, including open source components),” Eric Maurice, director of security assurance at Oracle, wrote in a blog post.

      While 301 flaws is a large number, it is actually fewer than the 334 that Oracle patched in the last CPU that it released on July 18. Looking at the most severe flaw across the 301, the single CVSS 10.0 was given to the CVE-2018-2913 flaw in Oracle’s GoldenGate software.

      “Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle GoldenGate,” the NIST National Vulnerability Database (NVD) advisory states. “While the vulnerability is in Oracle GoldenGate, attacks may significantly impact additional products.”

      The GoldenGate flaw was one of three that security researchers working at Tenable discovered. In a research note detailing the CVE-2018-2913 flaw, Tenable referred to the issue as an unauthenticated remote stack buffer overflow condition.

      “A stack buffer overflow can occur if an unauthenticated remote attacker provides a malformed command,” Tenable stated in its advisory. “An attacker can trigger the condition by simply sending a long command.”

      Java 

      Looking specifically at the Java-related flaws in the October CPU, there are 12 Java SE flaws, 11 of which are remotely exploitable without user authentication. The WebLogic Java application server is being patched for 12 issues, with eight being remotely exploitable without user authentication.

      Some of the Java issues are related to deserialization risks, which have been an ongoing concern for several years.

      “I do not believe [Java deserialization] is a design flaw as such as issues with additional development steps required to harden and hide Java objects,” Joseph Kucic, chief security officer at Cavirin, told eWEEK. “Obviously, this is avoided by moving to use a safe and standard data interchange format such as JSON.”

      Apostolos Giannakidis, security architect at Waratek, told eWEEK that Oracle did a lot of cleanup work in the October CPU, fixing flaws that went back to 2014. The Java-issued patches by Oracle largely impact Java 8 and prior releases and not the newer updates. Java 11 was released on Sept. 25 as the second major update for Java in 2018.

      “Oracle, like all software vendors, relies largely on users and third-party researchers to report flaws and potential fixes,” Giannakidis said. “Utilization is relatively low for Java 9 and 10, which translates into fewer users available to report flaws.”  

      Database

      Oracle’s namesake database is only getting three security fixes as part of the October CPU, two of them being remotely exploitable without the need for any user credentials.

      The MySQL database is getting patched for 38 security issues, with only three being remotely exploitable without authentication. Of the three, the CVE-2018-11776 issue in MySQL Enterprise Monitor is the most critical, with a CVSS score of 9.8. The flaw is derived from the Apache Struts component used in the Monitor tool.

      “The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise MySQL Enterprise Monitor,” the advisory warns. “Successful attacks of this vulnerability can result in the takeover of MySQL Enterprise Monitor.”

      Oracle Fusion

      One of the single largest sets of vulnerabilities in the October CPU is in the Oracle Fusion Middleware portfolio, which is getting 65 new security fixes. Oracle’s E-Business Suite is being patched for 16 issues.

      Overall, it’s not clear if security got better or worse for Oracle over the course of 2018, according to Matias Mevied, Oracle security specialist at Onapsis.

      “Analyzing the number of vulnerabilities from 2015 to 2018, there are some indicators that Oracle is fixing almost double the [number of] vulnerabilities in 2018 than 2015, with 613 vulnerabilities fixed in 2015 and 1,128 in 2018,” Mevied told eWEEK. “This can happen for different reasons: Oracle is improving its security, patching more vulnerabilities; Oracle incorporates more products; there are more researchers reporting vulnerabilities; and also it could be that the Oracle applications are more vulnerable, but we don’t think this is the most relevant or probable issue.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×