Oracle fixes critical flaws in Database Server, MySQL, Java
The October 2015 Critical Patch Update include a number of fixes for “very severe vulnerabilities,” but none has yet been exploited in the wild, wrote Eric Maurice, software security assurance director at Oracle. “However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort,” Maurice warned.
Of the Oracle Database vulnerabilities, seven were for Oracle Database Server and one was for Oracle Database Mobile/Lite Server. The most severe vulnerability was in Oracle Database Server’s Portable Clusterware component, with a CVSS Base Score of 10.0. This means the bug could be remotely exploited over the network without needing a username and password, resulting in a full compromise of the targeted system. Three other critical vulnerabilities, all with the CVSS Base Score of 9.0, could affect the Database Scheduler and Java VM components. The vulnerabilities don’t apply to client-only database installations where the Oracle Database Server is not installed.
Oracle also fixed 30 security flaws in the MySQL database, two of which were remotely exploitable without authentication. The most severe flaw affected the MySQL Enterprise Monitor component and could lead to a complete takeover of the targeted system if the component ran with administrator or root-level privileges. The bug’s CVSS Base Score dropped from 9.0 to 6.5 if the MySQL Enterprise Monitor ran with non-administrator privileges, as attackers would only get partial control of the targeted system, Oracle said in its advisory.
In addition, this update fixed older vulnerabilities in the libcurl library 7.17.1 through 7.42.1 (CVE-2014-3707, CVE-2014-8150, CVE-2015-3153 and CVE-2015-3236), which could result in Carriage Return/Line Feed (CRLF) injection attacks. Also known as an HTTP Response Splitting attack, these flaws could be exploited to inject arbitrary HTTP headers and obtain sensitive information by reading header contents.
Java is a popular attack vector for attackers, so the CPU is even more critical for organizations relying on Java. The latest update patched 25 vulnerabilities in Java, of which 24 allowed for remote execution. Seven vulnerabilities in Java SE and Java SE Embedded versions 6 to 8 had a CVSS Base Score of 10.0. The flaws, present in various libraries and multiple subcomponents, including CORBA, RMI, Serialization, and 2D, applied to client-side Java alone. They could be exploited only through sandboxed Java Web Start applications and sandboxed Java applets, Oracle said.
The CVSS Base Scores assume the user running a Java applet or Java Web Start application has administrator privileges, which is a common scenario on Windows. If the application is not running with administrator privileges -- more typical on Solaris and Linux -- the CVSS scores drop and the attackers would get only partial control of the targeted system, Oracle said in the advisory.
A separate flaw in the JavaFX subcomponent (CVE-2015-4901), applied to both client and server deployments. It could be exploited through sandboxed Java Web Start applications and Java applets, as well as by supplying data to APIs in the specified Component through a Web service.
Twenty of the vulnerabilities were browser-based. Users should use only the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases, Oracle said.
Oracle recommended that organizations apply the CPU as soon as possible because of the threats, but said it was possible to reduce the risk of successful attack by blocking the network protocol required by the attack. The most severe database vulnerability uses the OracleNET protocol, but it doesn’t make sense to apply this workaround for MySQL, which relies on HTTP. Some of the critical bugs become less severe if certain privileges or access to certain packages are revoked. Since these workarounds can break application functionality, Oracle recommended testing changes on nonproduction systems first.
“Neither approach should be considered a long-term solution as neither corrects the underlying problem,” Oracle said.
Oracle pushes out security fixes for its product portfolio on a quarterly basis. This quarter’s CPU is not significantly different in size from past updates. The July update included fixes for 193 vulnerabilities, while the January update fixed 169 vulnerabilities, The April update was the smallest in 2015, with fixes for 98 vulnerabilities.
Oracle’s next scheduled update is Jan. 19, 2016.