Oracle fixed 136 vulnerabilities across 46 different products this week as part of its quarterly Critical Patch Update. More than half of the CVEs, 72, could be remotely exploitable without authentication.
Fixes for a slew of products, including Oracle’s Database Server, E-Business Suite, Fusion Middleware, along with its Sun Products line, Java SE platform, and MySQL database, were pushed on Tuesday. The update is the company’s second batch of patches for 2016 and as far as the number of fixes goes, is much more in line with Oracle’s traditional patch updates compared to January’s mammoth CPU which was record-setting and addressed 248 patches.
Seven of the vulnerabilities – present in Java SE, Java SE Embedded, JRockit, Oracle’s Unix operating system Solaris, and MySQL Server – are rated 10.0 in criticality according to an older vulnerability system Oracle used, CVSS v.2.0. The company warns that all of the vulnerabilities are remotely exploitable without authentication, meaning an attacker wouldn’t need a username or password to carry out an attack using them.
Of all the product lines receiving fixes this week, the update to Oracle’s MySQL contains the most fixes, 31; four of which are remotely exploitable. Oracle’s Fusion Middleware contains the second most fixes, 22 – nearly all of them however, 21, are remotely exploitable, Oracle warns.
In order to provide a more precise assessment of risks Oracle switched to the most recent version of the Common Vulnerability Scoring System, CVSS v.3.0, with April’s CPU. Under the new system, technically there are no vulnerabilities rated 10.0 this time around. With 3.0, which Oracle plans on using going forward, CVSS base scores of 10.0 have been re-calibrated. Both the Solaris vulnerability and the MySQL vulnerabilities now have a base score of 9.8, while the Java SE vulnerabilities have a revised base score of 9.6, 9.6, 9.6, and 9.0.
Under v.2.0, only seven issues would be marked critical, but under v.3.0 there are 17 issues that score over 9.0 and in turn considered critical.
The move to v.3.0 – a system first introduced in June 2015 after undergoing three years of development – is an improvement in the eyes of some Oracle security experts, including Alexander Polyakov, CTO at ERPScan, a Palo Alto, Calif.-based firm that helps companies secure Oracle enterprise resource planning (ERP) systems.
“I’m glad to see such changes in the scoring system, as there were many discussions about the quality of CVSS v.2.0. For example, vendors could rate issues discovered in their products as less critical (intentionally or unintentionally) because of some flaws in this scoring system,” Polyakov told Threatpost Wednesday, “Now the recently updated system is more accurate and many drawbacks affecting the previous version were resolved.”
Polyakov also praised SAP, another ERP vendor, who switched to CVSS v.3.0 in March.
In addition to the fixes pushed Tuesday, Oracle is encouraging users, if they haven’t done so already, to apply fixes from when last month, when it released an emergency alert for Java SE. The update fixed an issue that allowed attackers to remotely execute code and bypass the Java sandbox and was improperly patched in 2013.
A separate flaw, in IBM’s Java SDK implementation, that’s also hung around since 2013, apparently still exists in some versions (7 and 8). IBM said last week that it was working on a fix for the issue.
IT administrators rejoiced in January when Oracle announced that it would be retiring the much-maligned Java browser plugin later this year. Oracle plans to hang up the plugin in JDK 9 in September, and JRE, in a future Java SE release.