On Tuesday, for the first time, Java security updates were included with the quarterly Oracle Critical Patch Update – and just as quickly, Java wasted no time elevating itself as the top concern for Oracle admins and security experts.
Of the 51 Java patches released, 50 allow for remote code execution and 20 were given the highest criticality rating by Oracle.
“The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations,” said Qualys CTO Wolfgang Kandek.
Users are urged to immediately upgrade Java to version 7 update 45; Java 6 installations are also vulnerable to close to a dozen critical vulnerabilities, experts said, adding that users should avoid enabling the plug-in altogether, or isolate Java 6 machines.
“Ideally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin,” said Ross Barrett, senior security engineer at Rapid7. “Otherwise, run Java in the most restricted mode and only allow signed applets from white-listed sites to run.”
Java 6, however, is no longer supported by Oracle and security patches are not being developed.
“The recommended action for Java 6 here is to upgrade to Java 7 if possible,” Kandek said. “If you cannot upgrade, I would recommend to isolate the machine that needs Java 6 running and not use it for any other activities that connect it to the Internet, such as e-mail and browsing.”
Experts remind users too that the latest Java updates also include code-signing restrictions and pop-ups warning users that unsigned Java applets pose a security risk and that they won’t execute automatically by default.
Noted Java bug hunter Adam Gowdiak told Threatpost that the patches also harden interactions of LiveConnect code, a browser feature that allows applets to communicate with the javascript engine in the browser, and Java Rich Internet Applications.
“With that respect, some extra warning dialogs are displayed to the user prior to allowing the calls from JavaScript to Java,” Gowdiak said, adding that Oracle has also patched a Reflection API vulnerability he submitted to the company.
On the server side, CVE-2013-5782 and CVE-2013-5830 were patched. The vulnerabilities were found in Oracle JRockit, the Java virtual machine built into its Oracle Fusion Middleware.
“Besides the Java patches, nothing else jumps out as particularly interesting,” Rapid7’s Barrett said.
Overall, there are 127 patches in the Oracle CPU that touch most of the Oracle product line. Aside from the Java vulnerabilities, the only other bug approaching the same level of criticality is in MySQL Enterprise Monitor, but it is not a remote execution bug. MySQL Enterprise Monitor is a real-time management interface that watches over MySQL databases for performance, availability and security.
Database managers should be aware of four patches for Oracle RDBMS, all of which are remotely exploitable, though Kandek points out that Oracle databases are not exposed to the Internet.
There are 17 patches for Oracle Fusion Middleware, a dozen of which are remotely exploitable. The Outside In document viewing component of Fusion used also in Microsoft Exchange installations is also patched in this update. The feature gained some attention with the August Microsoft Patch Tuesday updates. An attacker could gain remote access by enticing a user to open a malicious file with Outlook Web Access.
Oracle also released a dozen patches for its Sun product line, including a bug in Sun’s SPARC server management module that could give an attacker access to a number of important management features.
The remaining patches address security vulnerabilities in Oracle Enterprise Manager Grid Control, a number of Oracle business applications including Supply Chain, PeopleSoft, Siebel and iLearning, Industry, Financial, and Primavera apps.