MySQL still gets attention
Oracle's lack of attention on databases may be confined to its flagship database, since the CPU did not neglect MySQL. Of the 31 new security fixes for Oracle MySQL, four could be exploited remotely without authentication. Both critical vulnerabilities in MySQL Server's packaging subcomponent (CVE-2016-0705) and the critical vulnerability in MySQL Server's pluggable authentication subcomponent (CVE-2016-0639) affect versions 5.6.29 and earlier as well as 5.7.11 and earlier. Oracle assigned a CVSS 3.0 rating of 9.8 (CVSS 2.0 rating of 10.0) and warned that the attack complexity for this flaw was low, meaning attackers don't have to meet any special requirements to access the bug. A successful attack would result in total information disclosure and complete control over the targeted system.
The other two flaws that can be remotely exploited are not rated critical, but should be considered high-priority. The vulnerability in MySQL Server in the encryption subcomponent (CVE-2015-3194) has a CVSS 3.0 rating of 7.5 and affects versions 5.6.28 and earlier, as well as 5.7.10 and earlier. A successful attack would result in the system no longer being available.
The other is a vulnerability in MySQL Server's connection handling subcomponent (CSV-2016-2047) that has a CVSS 3.0 rating of 5.9. This flaw exists in versions 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier. An attacker who succeeds in exploiting this flaw would be able to modify information on the server.
Administrators can reduce the risk of attacks targeting these flaws by limiting the machines that can form a direct connection using the MySQL protocol.
Patch Java or dump it
Oracle patched nine security flaws in Oracle Java SE, which affects Java applets and Java Web Start applications. All of the vulnerabilities can be remotely exploited without a username or password, but the severity depends on the level of privileges assigned to the user. If the user has administrator privileges -- unfortunately still common on Windows systems -- the severity is much higher than if the user has restricted access, a scenario more common for Linux and Solaris users.
Oracle said the attack complexity for the flaws in Java SE's 2D subcomponent (CVE 2016-3443, base score of 9.6 under CVSS 3.0), in Java SE and Java SE Embedded's hotspot subcomponent (CVE-2016-0687, base score of 9.6 under CVSS 3.0), and in Java SE and Java SE Embedded's serialization subcomponent (CVE-2016-0686, base score of 9.6 under CVSS 3.0), was low. Affected versions include Java SE 6u113, 7u99, 8u77, and JavaSE Embedded 8u77.
The three flaws affect Java deployments that load and run untrusted code, such as clients running sandboxed Java Web Start applications or sandboxed Java applet, Oracle said in its advisory. The vulnerabilities do not apply in server-side Java deployments that load and run only trusted code.
Sign up for CIO Asia eNewsletters.