Recent global malware outbreaks WannaCry and NotPetya exposed how much enterprises struggle with patching. Staying current with the latest security patches involves testing, preparing and deploying the updates and enterprises are lagging behind as each product has its own update schedule.
It is easy to wag fingers about how it shouldn't take IT more than 60 days to deploy an update, but consider the current workload. On top of the regularly scheduled monthly updates from Microsoft and Adobe, some organizations may need to deal with the latest Cisco patches. Organizations are still working on closing the SMB vulnerability, especially the out-of-network updates for Windows XP and other unsupported systems. Enterprises with iOS devices need to prioritize the latest update to address a serious security flaw in its WiFi chip.
Then there is Oracle’s gargantuan Critical Patch Update (CPU), which fixed a whopping 308 vulnerabilities across its entire product portfolio. Over half, or 168, of the fixes address vulnerabilities that could be remotely exploited without needing any kind of user authentication.
“For the second time this year, the latest Oracle patch release has reinforced the accelerating challenges cybersecurity teams face in keeping pace with software flaws and the malicious hackers that exploit them,” said John Matthew Holy, CTO of Waratek.
Databases aren’t the focus
On the July CPU, 27 of the vulnerabilities fixed would be rated as critical, as they have a CVSS base score between 9.0 and 10.0. The most critical vulnerability, with the CVSS score of 10.0 was in the Oracle WebLogic Server component of Oracle Fusion Middleware (the JNDI subcomponent). An unauthenticated attacker with network access via HTTP could compromise and take over Oracle WebLogic Server 10.3.6.0 and 18.104.22.168. “While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products,” ERPscan said in its analysis.
Security holes in Java tend to have wide-ranging impact, as they can pop up in other applications. The latest CPU fixed 32 vulnerabilities in Java, of which 28 were remotely exploitable without authentication. Three Java SE, Java SE Embedded and JRockit vulnerabilities were considered critical, with a CVSS base score of at least 9.0. All affect multiple versions of the respective software.
Oracle may be perceived as the “database company,” but its flagship product Oracle Database Server hasn’t been a major focus of the CPU in years, and that remains the case even with this monster update. The giant released only five patches for Oracle Database Server, three of which are remotely exploitable in the Oracle Secure Backup and Oracle Big Data Graph components included with the server. The CPU had 30 patches for MySQL, the database Oracle acquired as part of its 2009 Sun acquisition, of which nine were remotely exploitable without authentication.
Sign up for CIO Asia eNewsletters.