Tuesday Apr 19, 2016

April 2016 Critical Patch Update Released

Oracle today released the April 2016 Critical Patch Update.

This Critical Patch Update provides fixes for a wide range of product families including: Oracle Database Server, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle recommends this Critical Patch Update be applied as soon as possible. A summary and analysis of this Critical Patch Update has been published on My Oracle Support (MOS Note 2126904.1)

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

My Oracle Support Note 2126904.1 is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2126904.1 (MOS account required).

Wednesday Mar 23, 2016

Security Alert CVE-2016-0636 Released

Oracle released Security Alert CVE-2016-0636 to address a vulnerability affecting Java SE in web browsers on desktops. This vulnerability has received a CVSS Base Score of 9.3 and is remotely exploitable without authentication. A successful exploitation of this vulnerability would typically require an unsuspecting user running an affected version of Java SE to visit a malicious web site.

Oracle recommends customers apply this Security Alert as soon as possible. Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed. Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious.


For more information:

The Advisory for Security Alert CVE-2016-0636 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html

Friday Feb 05, 2016

Security Alert CVE-2016-0603 Released

Oracle just released Security Alert CVE-2016-0603 to address a vulnerability that can be exploited when installing Java 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.

To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8. Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.

Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability. However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.

As a reminder, Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed. Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious.

For more information, the advisory for Security Alert CVE-2016-0603 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html

 

Tuesday Jan 19, 2016

January 2016 Critical Patch Update Released

Oracle today released the January 2016 Critical Patch Update.  With this Critical Patch Update release, the Critical Patch Update program enters its 11th year of existence (the first Critical Patch Update was released in January 2005).  As a reminder, Critical Patch Updates are currently released 4 times a year, on a schedule announced a year in advance.  Oracle recommends that customers apply this Critical Patch Update as soon as possible.

The January 2016 Critical Patch Update provides fixes for a wide range of product families; including: 

  • Oracle Database
    • None of these database vulnerabilities are remotely exploitable without authentication. 
  • Java SE vulnerabilities
    • Oracle strongly recommends that Java home users visit the java.com web site, to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed.
  • Oracle E-Business Suite.
    • Oracle’s ongoing assurance effort with E-Business Suite helps remediate security issues and is intended to help enhance the overall security posture provided by E-Business Suite.

Oracle takes security seriously, and strongly encourages customers to keep up with newer releases in order to benefit from Oracle’s ongoing security assurance effort.  

For more information:

The January 2016 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

The Oracle Software Security Assurance web site is located at https://www.oracle.com/support/assurance/index.html.

Oracle Applications Lifetime Support Policy is located at http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf.

Tuesday Nov 10, 2015

Security Alert CVE-2015-4852 Released

Hello, this is Eric Maurice.   

Oracle released Security Alert CVE-2015-4852 on November 10, 2015 to address the publicly-reported deserialization vulnerability involving Oracle WebLogic Server and the Apache Commons library.   Apache Commons is a project of the Apache Software Foundation, which provides and maintains a widely-used set of Java components.  This library is used by a number of Oracle products as well as many other vendors’ products and open source projects.   

According to Wikipedia, “serialization is the process of translating data structures or object state into a format that can be stored” (in a file, in memory, etc.).   Deserialization is the reverse process (the extraction of the data or object).  The security implications of deserialization have been known for a number of years.  OWASP refers to this kind of vulnerabilities as “deserialization of untrusted data.”  In a nutshell, security vulnerabilities may occur when software developers assume that serialized data can be trusted and is well-formed.    

Vulnerability CVE-2015-4852 has received a CVSS Base Score of 7.5.  If successfully exploited, it can result in remote code execution within Oracle WebLogic Server.  This vulnerability is remotely exploitable without authentication (in instances where the vulnerable component can be accessed by the malicious perpetrator in the absence of other controls such as network access restrictions).   

While permanent fixes are being prepared for Oracle WebLogic Server, this Security Alert provides mitigation instructions.  Please note that the Security Alert also provides instructions for cloud customers on how to obtain more information about the potential impact of this vulnerability in the Oracle Cloud.

For More Information:

The Advisory for Security Alert CVE-2015-4852 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html  

Tuesday Oct 20, 2015

October 2015 Critical Patch Update Released

Hi, this is Eric Maurice. Oracle released the October 2015 Critical Patch Update today.  As a reminder, the Critical Patch Update is Oracle’s primary program for the release of security fixes across Oracle product lines. 

Critical Patch Updates are released 4 times a year, in a schedule that is announced a year in advance.  This predictability is intended to provide Oracle customers the ability to plan for the timely application of these security fixes, so that they can maintain their security posture.  In other words, the predictability of the Critical Patch Update schedule is intended to provide Oracle customers with the ability to include security patching in their regular maintenance activities. 

Periodically, Oracle continues to receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes.  In some instances, it was reported that malicious attackers were successful because targeted Oracle customers had not applied available security patches.  The problem of the non-application of security fixes is all too common in the industry, particularly around complex enterprise applications, due to their complexity, need for near-complete availability, and need for patch testing and validation prior to deployment in production. Oracle recommends that Critical Patch Updates be applied as soon as possible.  This recommendation is particularly important today because the October 2015 Critical Patch Update include a number of fixes for very severe vulnerabilities. 

The October 2015 Critical Patch Update provides fixes for 154 new security vulnerabilities across a wide range of product families, including: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.

Out of these 154 new security fixes, 8 are for the Oracle Database.  The most severe of these database vulnerabilities (CVE-2015-4863) has received a CVSS Base Score of 10.0.  This CVSS Base Score of 10.0 denotes a vulnerability that is remotely exploitable without authentication, which, if successfully exploited, can result in a full compromise of the targeted system.  In addition, 3 database vulnerabilities received a CVSS Base Score of 9.0. 

The October 2015 Critical Patch Update provides 15 new security fixes for Oracle Sun Systems Products Suite.  One of the vulnerabilities fixed with this Critical Patch Update (CVE-2015-4915), has received a CVSS Base Score of 10.0.  This vulnerability affects the Integrated Lights Out Manager (a.k.a. ILOM), which is used across a number of products.  In addition to applying the necessary patches as soon as possible, Oracle recommends that customers ensure the ILOM interface be not publicly accessible over the Internet.

This Critical Patch Update also provides 23 security fixes for Oracle Fusion Middleware, 16 of which are remotely exploitable without authentication.  The most severe CVSS Base Score reported for these vulnerabilities is 7.5. 

Oracle Hyperion receives one new security fix with a CVSS Base Score of 1.2.

Oracle Enterprise Manager Grid Control receives 5 new security fixes, 3 of which are remotely exploitable without authentication.  The highest reported CVSS Base Score for the vulnerabilities is 6.8.

This Critical Patch Update also includes a number of fixes for Oracle Applications, including 12 new security fixes for Oracle E-Business Suite (maximum reported CVSS Base Score for E-Business Suite is 6.8), 8 new fixes for Oracle Supply Chain Products Suite (maximum CVSS Base Score of 6.8), 8 new security fixes for Oracle PeopleSoft Enterprise products (maximum CVSS Base Score of 6.8), 1 new security fix for Oracle Siebel CRM (CVSS Base Score of 4.3). 

Oracle Industry Applications receive 14 new security fixes.  9 of these fixes are for Oracle Communications Applications, including 5 new fixes for a vulnerability rated with a CVSS Base Score of 10.0 (CVE-2015-2608 affects a component used on 5 of these products).  Oracle Retail Applications get 4 new fixes and the highest reported CVSS Base Score for these vulnerabilities is 7.5.

Oracle Java SE receives 25 new security fixes, 24 of which are remotely exploitable without authentication.  The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0.  20 of the Java SE vulnerabilities only affect client deployment of Java SE (e.g., Java in the browser).  The remaining 5 vulnerabilities affect client and server deployments of Java SE.  Java home users should visit the java.com web site, to ensure that they are using the most recent version of Java and remove obsolete JAVA SE versions from their desktop if they are not needed.

Due to the severity of a number of vulnerabilities fixed in this Critical Patch Update, Oracle recommends that the necessary patches be applied as soon as possible.  As of October 19th, the company’s security team didn’t have any indication that any of the most severe vulnerabilities fixed in this Critical Patch Update had been successfully exploited “in the wild” (some of these bugs were discovered internally as part of our ongoing assurance effort).  However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort.  Keeping up with security releases is important to help preserve a security-in-depth posture.  Fortunately, Critical Patch Update fixes for most Oracle products are cumulative, and this means that the application of the October 2015 Critical Patch Update will resolve not only the new vulnerabilities reported in today’s advisory, but also all the previously-reported security issues affecting the affected Oracle product versions.

For More Information:

The October 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html 

Thursday Jul 30, 2015

CVSS Version 3.0 Announced

Hello, this is Darius Wiles.

Version 3.0 of the Common Vulnerability Scoring System (CVSS) has been announced by the Forum of Incident Response and Security Teams (FIRST). Although there have been no high-level changes to the standard since the Preview 2 release which I discussed in a previous blog post, there have been a lot of improvements to the documentation.

Soon, Oracle will be using CVSS v3.0 to report CVSS Base scores in its security advisories. In order to facilitate this transition, Oracle plans to release two sets of risk matrices, both CVSS v2 and v3.0, in the first Critical Patch Update (Oracle’s security advisories) to provide CVSS version 3.0 Base scores. Subsequent Critical Patch Updates will only list CVSS version 3.0 scores.

While Oracle expects most vulnerabilities to have similar v2 and v3.0 Base Scores, certain types of vulnerabilities will experience a greater scoring difference. The CVSS v3.0 documentation includes a list of examples of public vulnerabilities scored using both v2 and v3.0, and this gives an insight into these scoring differences. Let’s now look at a couple of reasons for these differences.

The v3.0 standard provides a more precise assessment of risk because it considers more factors than the v2 standard. For example, the important impact of most cross-site scripting (XSS) vulnerabilities is that a victim's browser runs malicious code. v2 does not have a way to capture the change in impact from the vulnerable web server to the impacted browser; basically v2 just considers the impact to the former. In v3.0, the Scope metric allows us to score the impact to the browser, which in v3.0 terminology is the impacted component. v2 scores XSS as "no impact to confidentiality or availability, and partial impact to integrity", but in v3.0 we are free to score impacts to better fit each vulnerability. For example, a typical XSS vulnerability, CVE-2013-1937 is scored with a v2 Base Score of 4.3 and a v3.0 Base Score of 6.1. Most XSS vulnerabilities will experience a similar CVSS Base Score increase.

Until now, Oracle has used a proprietary Partial+ metric value for v2 impacts when a vulnerability "affects a wide range of resources, e.g., all database tables, or compromises an entire application or subsystem". We felt this extra information was useful because v2 always scores vulnerabilities relative to the "target host", but in cases where a host's main purpose is to run a single application, Oracle felt that a total compromise of that application warrants more than Partial. In v3.0, impacts are scored relative to the vulnerable component (assuming no scope change), so a total compromise of an application now leads to High impacts. Therefore, most Oracle vulnerabilities scored with Partial+ impacts under v2 are likely to be rated with High impacts and therefore more precise v3.0 Base scores. For example, CVE-2015-1098 has a v2 Base score of 6.8 and a v3.0 Base score of 7.8. This is a good indication of the differences we are likely to see. Refer to the CVSS v3.0 list of examples for more details on score this vulnerability.

Overall, Oracle expects v3.0 Base scores to be higher than v2, but bear in mind that v2 scores are always relative to the "target host", whereas v3.0 scores are relative to the vulnerable component, or the impacted component if there is a scope change. In other words, CVSS v3.0 will provide a better indication of the relative severity of vulnerabilities because it better reflects the true impact of the vulnerability being rated in software components such as database servers or middleware.


For More Information

The CVSS v3.0 documents are located on FIRST's web site at http://www.first.org/cvss/

Oracle's use of CVSS [version 2], including a fuller explanation of Partial+ is located at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html

My previous blog post on CVSS v3.0 preview is located at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview

Eric Maurice's blog post on Oracle's use of CVSS v2 is located at https://blogs.oracle.com/security/entry/understanding_the_common_vulne_2

Tuesday Jul 14, 2015

July 2015 Critical Patch Update Released

Hello, this is Eric Maurice.

Oracle today released the July 2015 Critical Patch Update. The Critical Patch Update program is Oracle’s primary mechanism for the release of security fixes across all Oracle products, including security fixes intended to address vulnerabilities in third-party components included in Oracle’s product distributions.

The July 2015 Critical Patch Update provides fixes for 193 new security vulnerabilities across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 193 fixes, 44 are for third-party components included in Oracle products distributions (e.g., Qemu, Glibc, etc.)

This Critical Patch Update provides 10 fixes for the Oracle Database, and 2 of the Database vulnerabilities fixed in today’s Critical Patch Update are remotely exploitable without authentication. The most severe of these database vulnerabilities has received a CVSS Base Score of 9.0 for the Windows platform and 6.5 for Linux and Unix platforms. This vulnerability (CVE-2015-2629) reflects the availability of new Java fixes for the Java VM in the database.

With this Critical Patch Update, Oracle Fusion Middleware receives 39 new security fixes, 36 of which are for vulnerabilities which are remotely exploitable without authentication. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5.

This Critical Patch Update also includes a number of fixes for Oracle applications. Oracle E-Business Suite gets 13 fixes, Oracle Supply Chain Suite gets 7, PeopleSoft Enterprise gets 8, and Siebel gets 5 fixes. Rounding up this list are 2 fixes for the Oracle Commerce Platform.

The Oracle Communications Applications receive 2 new security fixes. The highest CVSS Base Score for these vulnerabilities is 10.0, this score is for vulnerability CVE-2015-0235, which affects Glibc, a component used in the Oracle Communications Session Border Controller. Note that this same Glibc vulnerability is also addressed in a number of Oracle Sun Systems products.

Also included in this Critical Patch Update are 25 fixes Oracle Java SE. 23 of these Java SE vulnerabilities are remotely exploitable without authentication. 16 of these Java SE fixes are for Java client-only, including one fix for the client installation of Java SE. 5 of the Java fixes are for client and server deployment. One fix is specific to the Mac platform. And 4 fixes are for JSSE client and server deployments. Please note that this Critical Patch Update also addresses a recently announced 0-day vulnerability (CVE-2015-2590), which was being reported as actively exploited in the wild.

This Critical Patch Update addresses 25 vulnerabilities in Oracle Berkeley DB, and none of these vulnerabilities are remotely exploitable without authentication. The highest CVSS Base score reported for these vulnerabilities is 6.9.

Note that the CVSS standard was recently updated to version 3.0. In a previous blog entry, Darius Wiles highlighted some of the enhancements introduced by this new version. Darius will soon publish another blog entry to discuss this updated CVSS standard and its implication for Oracle’s future security advisories. Note that the CVSS Base Score reported in the risk matrices in today’s Critical Patch Update were based on CVSS v2.0.

For More Information:

The July 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance

Friday May 15, 2015

Security Alert CVE-2015-3456 Released

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2015-3456 to address the recently publicly disclosed VENOM vulnerability, which affects various virtualization platforms. This vulnerability results from a buffer overflow in the QEMU's virtual Floppy Disk Controller (FDC).

While the vulnerability is not remotely exploitable without authentication, its successful exploitation could provide the malicious attacker, who has privileges to access the FDC on a guest operating system, with the ability to completely take over the targeted host system. As a result, a successful exploitation of the vulnerability can allow a malicious attacker with the ability to escape the confine of the virtual environment for which he/she had privileges for. This vulnerability has received a CVSS Base Score of 6.2.

Oracle has decided to issue this Security Alert based on a number of factors, including the potential impact of a successful exploitation of this vulnerability, the amount of detailed information publicly available about this flaw, and initial reports of exploit code already “in the wild.” Oracle further recommends that customers apply the relevant fixes as soon as they become available.

Oracle has also published a list of Oracle products that may be affected by this vulnerability. This list will be updated as fixes become available.

The Oracle Security and Development teams are also working with the Oracle Cloud teams to ensure that the Oracle Cloud teams can evaluate these fixes as they become available and be able to apply the relevant patches in accordance with applicable change management processes in these organizations.

For More Information:

The Security Alert Advisory is located at

http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html

The list of Oracle products that may be affected by this vulnerability is published at http://www.oracle.com/technetwork/topics/security/venom-cve-2015-3456-2542653.html

Tuesday Apr 14, 2015

April 2015 Critical Patch Update Released

Hello, this is Eric Maurice.

Oracle today released the April 2015 Critical Patch Update. The predictable nature of the Critical Patch Update program is intended to provide customers the ability to plan for the application of security fixes across all Oracle products. Critical Patch Updates are released quarterly in the months of January, April, July, and October. Unfortunately, Oracle continues to periodically receive reports of active exploitation of vulnerabilities that have already been fixed by Oracle in previous Critical Patch Update releases. In some instances, malicious attacks have been successful because customers failed to apply Critical Patch Updates. The “Critical” in the designation of the Critical Patch Update program is intended to highlight the importance of the fixes distributed through the program. Oracle highly recommends that customers apply these Critical Patch Updates as soon as possible. Note that Critical Patch Updates are cumulative for most Oracle products. As a result, the application of the most recent Critical Patch Update brings customers to the most recent security release, and addresses all previously-addressed security flaws for these products. The Critical Patch Update release schedule for the next 12 calendar months is published on Oracle’s Critical Patch Updates, Security Alerts and Third Party Bulletin page on Oracle.com.

The April 2015 Critical Patch Update provides 98 new fixes for security issues across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle MySQL, and Oracle Support Tools.

Out of these 98 new fixes, 4 are for the Oracle Database. None of the database vulnerabilities are remotely exploitable without authentication. The most severe of the database vulnerabilities (CVE-2015-0457) has received a CVSS Base Score 9.0 only for Windows for Database versions prior to 12c. This Base Score is 6.5 for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms. This vulnerability is related to the presence of the Java Virtual Machine in the database.

17 of the vulnerabilities fixed in this Critical Patch Update are for Oracle Fusion Middleware. 12 of these Fusion Middleware vulnerabilities are remotely exploitable without authentication, and the highest reported CVSSS Base Score is 10.0. This CVSS10.0 Base Score is for CVE-2015-0235 (a.k.a. GHOST which affects the GNU libc library) affecting the Oracle Exalogic Infrastructure.

This Critical Patch Update also delivers 14 new security fixes for Oracle Java SE. 11 of these Java SE fixes are for client-only (i.e., these vulnerabilities can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets). Two apply to JSSE client and Server deployments and 1 to Java client and Server deployments. The Highest CVSS Base Score reported for these vulnerabilities is 10.0 and this score applies to 3 of the Java vulnerabilities (CVE-2015-0469, CVE-2015-0459, and CVE-2015-0491).

For Oracle Applications, this Critical Patch Update provides 4 new fixes for Oracle E-Business Suite , 7 for Oracle Supply Chain Suite, 6 for Oracle PeopleSoft Enterprise, 1 for Oracle JDEdwards EnterpriseOne, 1 for Oracle Siebel CRM, 2 for the Oracle Commerce Platform, and 2 for Oracle Retail Industry Suite, and 1 for Oracle Health Sciences Applications.

Finally, this Critical Patch Update provides 26 new fixes for Oracle MySQL. 4 of the MySQL vulnerabilities are remotely exploitable without authentication and the maximum CVSS Base Score for the MySQL vulnerabilities is 10.0.

As stated at the beginning of this blog, Oracle recommends that customers consistently apply Critical Patch Update as soon as possible. The security fixes provided through the Critical Patch Update program are thoroughly tested to ensure that they do not introduce regressions across the Oracle stack. Extensive documentation is available on the My Oracle Support Site and customers are encouraged to contact Oracle Support if they have questions about how to best deploy the fixes provided through the Critical Patch Update program.

For More Information:

The April 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

The Critical Patch Updates, Security Alerts and Third Party Bulletin page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html. Oracle’s vulnerability handling policies and practices are described at http://www.oracle.com/us/support/assurance/vulnerability-remediation/introduction/index.html

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« April 2016
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
       
Today