All has been relatively quiet of late on the Java security front, which is in stark contrast to a year ago when Java was the scourge of the Internet. Vulnerabilities in Java were being exploited at an alarming rate in a number of targeted attacks including watering hole attacks against prominent government agencies, manufacturers and activists.
Yesterday’s quarterly Critical Patch Update from Oracle served as a reminder that the Java house still is not in order. The big database company released 36 Java patches with the CPU, which patched 144 vulnerabilities across just about all of Oracle’s product lines.
While enterprise IT departments thought they were getting a reprieve with relatively light Patch Tuesday security updates from Microsoft and Adobe, Oracle brought them back down to Earth with its first set of patches for 2014.
Of the 36 Java bugs Oracle addressed, 34 could be exploited remotely. Five vulnerabilities were given Oracle’s highest criticality rating of 10 and another five rated out at 9.3; most apply only to client deployments of Java, Oracle said, adding that just one is a server-side vulnerability. Oracle director of software security assurance Eric Maurice wrote on his department’s blog yesterday that an attacker can exploit the server-side bug by sending malicious data to the API of the vulnerable component, therefore bypassing Java sandbox protections.
“While a successful exploitation of a number of the vulnerabilities addressed by this Critical Patch Update may not be possible in many customers’ deployments because the affected component is not installed or cannot be easily accessed by malicious attacker,” Maurice wrote, “a prompt application of the Critical Patch Update will help ensure that security in depth is maintained in the environment.”
Java far and away had the highest number of critical patches; patches for only three other products merited the most severe rating: MySQL server; Oracle Financial Services Software component called FLEXCUBE; and Oracle Fusion Middleware.
The critical MySQL patch was one of 18 fixes released for the database server. Three of those patches were for remotely exploitable bugs, including one in MySQL Enterprise Monitor which was rated a 10 by Oracle.
As for the Oracle Fusion Middleware patches, Oracle cautions users to also prioritize patches for vulnerabilities in Oracle Database Server as some of those components could also expose Fusion products. Oracle released 22 Fusion Middleware patches, 19 of which are remotely exploitable including the most severe in the Oracle WebCenter Sites Community component.
There was a relatively light load of Oracle Database patches, five in all, one of which patches a remotely executable flaw in the Core RDBMS.