Hi, this is Eric Maurice. Oracle released the October 2015 Critical Patch Update today. As a reminder, the Critical Patch Update is Oracle’s primary program for the release of security fixes across Oracle product lines.
Critical Patch Updates are released 4 times a year, in a schedule that is announced a year in advance. This predictability is intended to provide Oracle customers the ability to plan for the timely application of these security fixes, so that they can maintain their security posture. In other words, the predictability of the Critical Patch Update schedule is intended to provide Oracle customers with the ability to include security patching in their regular maintenance activities.
Periodically, Oracle continues to receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it was reported that malicious attackers were successful because targeted Oracle customers had not applied available security patches. The problem of the non-application of security fixes is all too common in the industry, particularly around complex enterprise applications, due to their complexity, need for near-complete availability, and need for patch testing and validation prior to deployment in production. Oracle recommends that Critical Patch Updates be applied as soon as possible. This recommendation is particularly important today because the October 2015 Critical Patch Update include a number of fixes for very severe vulnerabilities.
The October 2015 Critical Patch Update provides fixes for 154 new security vulnerabilities across a wide range of product families, including: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.
Out of these 154 new security fixes, 8 are for the Oracle Database. The most severe of these database vulnerabilities (CVE-2015-4863) has received a CVSS Base Score of 10.0. This CVSS Base Score of 10.0 denotes a vulnerability that is remotely exploitable without authentication, which, if successfully exploited, can result in a full compromise of the targeted system. In addition, 3 database vulnerabilities received a CVSS Base Score of 9.0.
The October 2015 Critical Patch Update provides 15 new security fixes for Oracle Sun Systems Products Suite. One of the vulnerabilities fixed with this Critical Patch Update (CVE-2015-4915), has received a CVSS Base Score of 10.0. This vulnerability affects the Integrated Lights Out Manager (a.k.a. ILOM), which is used across a number of products. In addition to applying the necessary patches as soon as possible, Oracle recommends that customers ensure the ILOM interface be not publicly accessible over the Internet.
This Critical Patch Update also provides 23 security fixes for Oracle Fusion Middleware, 16 of which are remotely exploitable without authentication. The most severe CVSS Base Score reported for these vulnerabilities is 7.5.
Oracle Hyperion receives one new security fix with a CVSS Base Score of 1.2.
Oracle Enterprise Manager Grid Control receives 5 new security fixes, 3 of which are remotely exploitable without authentication. The highest reported CVSS Base Score for the vulnerabilities is 6.8.
This Critical Patch Update also includes a number of fixes for Oracle Applications, including 12 new security fixes for Oracle E-Business Suite (maximum reported CVSS Base Score for E-Business Suite is 6.8), 8 new fixes for Oracle Supply Chain Products Suite (maximum CVSS Base Score of 6.8), 8 new security fixes for Oracle PeopleSoft Enterprise products (maximum CVSS Base Score of 6.8), 1 new security fix for Oracle Siebel CRM (CVSS Base Score of 4.3).
Oracle Industry Applications receive 14 new security fixes. 9 of these fixes are for Oracle Communications Applications, including 5 new fixes for a vulnerability rated with a CVSS Base Score of 10.0 (CVE-2015-2608 affects a component used on 5 of these products). Oracle Retail Applications get 4 new fixes and the highest reported CVSS Base Score for these vulnerabilities is 7.5.
Oracle Java SE receives 25 new security fixes, 24 of which are remotely exploitable without authentication. The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0. 20 of the Java SE vulnerabilities only affect client deployment of Java SE (e.g., Java in the browser). The remaining 5 vulnerabilities affect client and server deployments of Java SE. Java home users should visit the java.com web site, to ensure that they are using the most recent version of Java and remove obsolete JAVA SE versions from their desktop if they are not needed.
Due to the severity of a number of vulnerabilities fixed in this Critical Patch Update, Oracle recommends that the necessary patches be applied as soon as possible. As of October 19th, the company’s security team didn’t have any indication that any of the most severe vulnerabilities fixed in this Critical Patch Update had been successfully exploited “in the wild” (some of these bugs were discovered internally as part of our ongoing assurance effort). However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort. Keeping up with security releases is important to help preserve a security-in-depth posture. Fortunately, Critical Patch Update fixes for most Oracle products are cumulative, and this means that the application of the October 2015 Critical Patch Update will resolve not only the new vulnerabilities reported in today’s advisory, but also all the previously-reported security issues affecting the affected Oracle product versions.
For More Information:
The October 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html