Oracle’s quarterly Critical Patch Updates (CPU) are known for their daunting volume, usually a disproportionately big number of fixes that database and system administrators have to deal with every three months. Yesterday’s CPU, however, takes the cake.
Oracle pushed out the door a record 248 patches on Tuesday, for vulnerabilities across its product lines. That number shatters the previous high of 193 last July, which was the first time the CPU inched toward 200. By comparison, the last update of 2015, in October, was a meager 154 patches.
Of the 248 yesterday, five earned a Common Vulnerability Scoring System (CVSS) score of 10.0, three of those in Java. There were eight Java patches overall, and all but one are remotely exploitable without authentication. One was found in the Java SE 2D API for graphics and imaging, and the other two in Java AWT (Abstract Window Toolkit), which is part of the standard API for providing a GUI for a Java program.
“Of the three two apply only to the client-side (the aforementioned scenario that has gotten so much attention), but one also applies to server deployments and should be looked at by your server team,” said Qualys CTO Wolfgang Kandek an in analysis posted to the Qualys Laws of Vulnerabilities blog.
Java is not as imposing a security monster as it was a few years back when targeted attacks and exploit kits were concentrating heavily on vulnerabilities in the platform. Oracle has implemented changes, especially in the area around the security of Java applets and denying the execution of unsigned applets, for example. Browser makers have also taken similar steps to keep Java in check.
“All this has resulted in more stable environment for Java and we have not heard of its use in any of the main attack campaigns,” Kandek said.
The two remaining vulnerabilities that scored 10.0 criticality were patched in Oracle Golden Gate, the company’s change and log management tool. The flaws are remotely accessible and can be exploited with out authentication. Oracle said the most critical bugs were found on Windows for Oracle Database versions prior to 12.c.
Oracle addressed 10 vulnerabilities overall in its flagship Oracle Database Server, including three in Golden Gate. None of the remaining seven were remotely exploitable.
Oracle also patched other critical bugs in many of its business software products. There were 78 patches for the Oracle E-Business Suite, 69 of which are remotely exploitable without authentication. The suite includes critical business applications including financial, supply chain and customer relationship management software. Two of the vulnerabilities were discovered by ERPScan, a security company focusing on enterprise resource planning software security.
“These applications store and process the most valuable corporate data such as HR information, financial information, supplier and customer lists, and others,” ERPScan said in its analysis of the CPU. “In case of successful attack, a malicious person can manipulate data about quantity of material resources, change the item prices, misappropriate funds, and modify financial reports, just to name a few.”