Administrators who support Java applications and various Oracle databases should pay close attention to the latest quarterly security update from Oracle, as more than a third of the security fixes affect Java, MySQL, and Oracle Database Server. Several of these vulnerabilities are considered critical and could be remotely exploited without requiring authentication, Oracle said.
Oracle doesn't state in the Critical Patch Update (CPU) whether any of the vulnerabilities are currently being exploited in the wild. However, it warns that attackers continue to target security holes for which fixes are already available. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay," the company said in an advisory.
Oracle has switched to the Common Vulnerability Scoring System 3.0 scale to indicate the severity of the flaws fixed in the CPU. The advisory is also available withCVSS 2.0, but going forward, the CPU will rely on the newer scale.
Losing interest in database fixes
The size of this CPU -- 136 fixes -- is actually the second smallest over the past year. Last April's CPU fixed a mere 98 flaws, but subsequent updates have been progressively larger, peaking at 248 patches in January's gargantuan CPU. More than the size of the CPU itself, what's striking is the small number of patches for Oracle Database. Past CPUs have hovered around 10 Oracle Database Server patches, but this month there are only five. Maybe it has something to do with April -- Oracle patched a mere four flaws last April.
Of the five security fixes for Oracle Database Server, two can be remotely exploited over a network without the attacker having valid login credentials. None of the flaws applies to client-only installations or cases where the organization does not have Oracle Database Server. The most serious vulnerability is a critical flaw in the Java VM component (CVE-2016-3454) in Oracle Database Server versions 11.2.04, 126.96.36.199, and 188.8.131.52. Oracle assigned a CVSS 3.0 rating of 9.0 (CVSS 2.0 rating of 7.6), and warned that the attack complexity for this flaw was high. A successful attack would likely result in total information disclosure and give the attacker complete control over the targeted system.
Considering how many organizations are locked into paying expensive legacy contracts because their critical systems rely on Oracle databases, it's worrying that the bulk of the CPUs for the past few years has fixed issues in nondatabase products. Like any other software, Oracle Database has bugs. And considering the amount of sensitive data that organizations store, the company should focus more attention on finding and patching those issues. The fact that it hasn't been doing so is another indicator Oracle is moving away from its database roots.
Sign up for CIO Asia eNewsletters.