The vulnerabilities that allow for remote unauthenticated access should be a priority for administrators applying the latest Oracle Critical Patch Update (CPU) say security experts.
This means businesses will need to focus on applying more than 40% of the 89 updates that cover most of Oracle’s product groups.
Java is on a different update cycle of every four months, but it will be migrated to the same schedule from October 2013.
Oracle’s flagship product, the Oracle database, gets six updates this month, with four being remotely exploitable.
The XML parser vulnerability, which is remotely accessible but requires authentication, has the highest Common Vulnerability Scoring System (CVSS) score of the Critical Patch Update, scoring nine on a scale of 10, indicating high criticality.
“One mitigating factor is that Oracle databases are typically not exposed the internet,” said Wolfgang Kandek, chief technology officer at security firm Qualys.
Oracle’s MySQL database has 18 vulnerabilities addressed, including two that are remotely accessible and have a CVSS score of 6.8.
“MySQL is often found exposed to the internet, even though this is not considered best practice. If you use MySQL in your organisation, it makes sense to run a perimeter scan to collect information on all databases externally exposed,” said Kandek.
More on Oracle security
- Oracle releases mega security patch for Java
- Oracle and Apple release Java security updates
- Oracle rushes out another Java update
- Oracle opens datacentre dedicated to G-Cloud
- Oracle ceases development of VDI, Sun Ray clients and software
- Oracle 12c Database now available
- Users may remain vulnerable despite Oracle Java patch release
- Oracle makes UC buy with Acme Packet
- Security updates likely to keep admins busy in April
- Rich Niemiec on Oracle database 12c, database security and Larry's law
The Oracle Sun product line has 16 updates, with eight being remotely accessible. The highest CVSS score is 7.8.
“If you have Sun Solaris servers in your organisation, review these patches and start with the machines on your perimeter and DMZ,” said Kandek.
Oracle’s Fusion Middleware has a total of 21 vulnerabilities and includes many components that are typically found on the internet, such as the Oracle HTTP server.
Of the 21 vulnerabilities, 16 are accessible remotely, with a maximum CVSS score of 7.5. “Again, a perimeter scan is helpful, or even a quick query to Shodan, which shows more than 500,000 machines with Oracle’s HTTP out on the internet,” said Kandek.
The highest CVSS score is 7.5, which should not be ignored, said Ross Barrett, senior manager of security engineering at Rapid7.
Fusion contains the Outside-In product that is used in Microsoft Exchange for document viewing. Outside-In has, in the past year, caused two updates in Microsoft’s email product to address the vulnerabilities in MS12-058 and MS12-080.
According to Kandek, recent research by Will Domann shows that Outside-In has the potential for more vulnerabilities. He recommends turning off the WebReady feature, which means that users have to download the documents to the local disk for viewing.
Other product areas with security updates include Peoplesoft, E-Business, Virtualisation and Solaris, which has been hit with two remote denial of service (DoS) attacks, plus a couple of local elevation of privilege issues, said Barrett.
Special report: Oracle
This free Computer Weekly special report on Oracle gives an independent view of the challenges facing Oracle, its financial performance, the services it offers, its place in the IT market and its future strategy.
“With such a diverse range of products in this quarter’s patch, it's hard to tackle these from top to bottom. I recommend patching any vulnerable Oracle Database Server instances as soon as possible, and don’t neglect the stability or integrity of the Solaris deployment,” he said.
Kandek said dealing with the large sizes of the Oracle CPUs would be easier if a good map of the currently installed software exists.
“In any case, we recommend addressing vulnerabilities on systems that are internet accessible first, such as Fusion Middleware, the Solaris operating system and MySQL,” he said.
According to Craig Young, a security researcher at Tripwire, Oracle has acknowledged and fixed 343 security issues so far this year.
“In case there was any doubt, this should be a big red flag to users that Oracle’s security practices are simply not working,” he said. “The constant drumbeat of critical Oracle patches is more than a little alarming, particularly because the vulnerabilities are frequently reported by third parties.”
This month’s CPU credits 18 different researchers coming from more than a dozen different companies, he added.