Thursday Sep 15, 2011

Security Alert for CVE-2011-3192 Released

Hi, this is Eric Maurice.

Oracle just released a Security Alert for CVE-2011-3192, also known as “Apache Killer.”  This vulnerability was recently discovered in the Apache HTTP Server and publicly disclosed.  It affects a number of Oracle products through their implementation of Apache, including Oracle Application Server and Oracle Fusion Middleware (a list of the affected products is provided in the Security Alert Advisory). 

The National Vulnerability Database has reported a CVSS Base Score for this vulnerability of 7.8 indicating a complete Operating System denial of service (DOS); however a complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete DOS of the Oracle HTTP Server but not the Operating System. 

This vulnerability allows a malicious attacker to hang the Oracle HTTP Server product via an easy-to-deploy, unauthenticated network attack.  Due to the criticality of this vulnerability and particularly its ease of exploitation, Oracle decided to release fixes for the affected and supported products as soon as the testing for these fixes was completed, before the release of the next scheduled Critical Patch Update on October 18th 2011. 

Oracle recommends that all affected customers apply the fixes provided by this Security Alert as soon as possible in order to maintain their “security in depth” posture, even if they have applied some of the workarounds that have been published on the Internet, as  Oracle has found that many of these workarounds can cause regression issues across the stack. 

This recommendation is also applicable to other vendors’ products which may contain this vulnerability as a result of their implementation of the Apache HTTP Server.  Organizations should quickly determine which of their systems is vulnerable, obtain the necessary patches from their respective suppliers, and plan to quickly apply these patches, especially in external facing systems.

For More Information:

Tuesday Jul 19, 2011

July 2011 Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle just released the July 2011 Critical Patch Update.  This Critical Patch Update provides fixes for 78 new security vulnerabilities in a wide range of product families including: Oracle Database Server, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, and Oracle Sun Products. 

Out of these 78 vulnerabilities, 13 affect Oracle Database Server, including one affecting Oracle Database Vault and 2 affecting client-only deployments.  The CVSS Base Scores for these Database Server vulnerabilities range between 1.3 and 7.1. 

This Critical Patch Update also provides fixes for 3 security flaws affecting Oracle Secure Backup.  The highest CVSS Base Score for the vulnerabilities affecting Secure Backup is 10.0.  Oracle Secure backup customers are therefore urged to apply this Critical Patch Update as soon as possible.

In addition, 7 fixes are provided for Oracle Fusion Middleware.  The highest CVSS Base Score for vulnerabilities affecting Oracle Fusion Middleware is 10.0.  This CVSS Base Score is related to previously released Java SE security fixes applicable to JRockit.  Note again that Java SE security fixes continue to be issued on a separate Critical Patch Update schedule (the schedule for the Critical Patch Updates for Java SE and all other Oracle products is posted at http://www.oracle.com/technetwork/topics/security/alerts-086861.html).

18 security fixes are provided for Oracle Enterprise Manager Grid Control.  The CVSS Base Scores for the Enterprise Manager Grid Control vulnerabilities fixed in this Critical Patch Update range between 4.3 and 6.8. 

23 new security fixes are provided for the Oracle Sun Product Suite, including Oracle OpenSSO, Solaris, Oracle GlassFish Server, etc.    The CVSS Base Scores for the Oracle Sun Product Suite vulnerabilities fixed in this Critical Patch Update range between 1.7 and 10.0. 

With the addition of the Sun products, Oracle Software Security Assurance programs extend to the software components of hardware products, including firmware.  Firmware and other hardware-related security fixes are included in the Critical Patch Updates.  But the application of Oracle Software Security Assurance by the former hardware divisions of Sun does not end with the Critical Patch Update and Security Alert programs! 

While, before the acquisition, there were differences between the security practices of the various hardware security groups at Sun (e.g. differences between Solaris, Development Tools, Volume Systems, Enterprise Systems, Disk Storage divisions, etc.), these security practices are now integrated under Oracle Software Security Assurance guidance.  For example, security release criteria (i.e. security items in the mandatory checklist before allowing a software product to become GA) are applied uniformly across all Hardware Systems divisions.  Also, the development teams across the Hardware Systems division have access to a broader set of security tool sets, including static analysis tools.  These changes will help further strengthen the security quality of the code produced by these groups. 

Oracle Software Security Assurance programs affect ALL Oracle products (and their respective development organizations) and help ensure consistency in coding practices, security reporting, etc. resulting in effective information sharing between Oracle groups.  This is particularly important because customers will reap security benefits when purchasing Oracle-engineered systems (e.g. Exadata, Exalogic, , etc.)  as opposed to getting multi-vendor bundles (or attempting to integrate complex systems from multiple vendor by themselves.)  For example, the existence of consistent and extended security checklists when bringing Oracle solutions together help ensure security integrity across the solution stack being offered to customers, as customers need not rely upon the consistency of multiple vendors’ security assurance programs. 

As always, Oracle recommends that customers review the risk matrices included in the Critical Patch Update Advisory to determine whether these fixes are relevant to them and, if so, determine the potential risk these vulnerabilities create in their environment, and ultimately determine their patching priority.  As a reminder, Oracle recently started to issue a plain-English version of the risk matrices to help customers who may not yet be familiar with CVSS get accustomed to the Standard.  In addition, a technical white paper is available on Oracle’s web site to help customers come up with a repeatable process to deal with security patches in their environment.

 

For more Information:

·         The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

·         More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

 

Tuesday Jun 07, 2011

June 2011 Java SE Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle just released the June 2011 Critical Patch Update for Java SE. Today’s Java Critical Patch Update provides fixes for 17 new security vulnerabilities. 

Out of these 17 vulnerabilities, 9 have received a CVSS Base Score of 10.0.  This means that, in case of successful exploitation of any of these vulnerabilities, a complete compromise of the targeted system is possible.  Per Oracle policies, we report the highest CVSS score across all possible platforms.  In the above example, this means that the reported CVSS score is 10.0 to reflect the practice of many Windows users of running their systems with Administrative privileges.  On other operating systems (e.g. Linux, Unix), and when Java is executed by users with limited privileges, the CVSS score for these vulnerabilities would be 7.5 to reflect  a compromise of the Java application, but not a complete compromise down to the OS layer.  The CVSS Base Scores for the remaining 8 vulnerabilities fixed in this Java Critical Patch Update range from 2.6 to 7.6.

1 of these 17 vulnerabilities is specific to server deployment of Java.  This means that this vulnerability can only be exploited by supplying malicious input to APIs in the specified Component (e.g. through a Web Service).  It cannot be exploited through the use of Java Web Start applications or Java applets.

Out of these 17 vulnerabilities, 5 affect client and server deployments of Java.  This means that these vulnerabilities can be remotely exploited by supplying malicious data to APIs in the affected component of the server or be exploited through untrusted Java Web Start applications and untrusted Java applets of the clients.  (See discussion of trusted and untrusted applications below.)   11 of the vulnerabilities fixed in this Critical Patch Update affect client-only deployments.  This means that these vulnerabilities can only be exploited through untrusted Java Web Start applications and untrusted Java applets.

Java is designed to execute untrusted Java Web Start applications and untrusted applets in the Java sandbox with limited privileges.  However, if successfully exploited, the vulnerabilities affecting client deployments fixed in this Critical Patch Update can escape the sandbox, and in some instances (as denoted by a CVSS Base Score of 10.0), result in the full compromise of the targeted system.

Two conditions are required before Java applets or Java Web Start applications are considered trusted.  They have to be signed, and the user is required to click "Run" in response to a security dialog prior to their execution.  In other words, clicking "Run" makes the signed applet or signed Java Web Start application "trusted". When trusted, such Java Web Start applications and Java applets can run outside the sandbox and will execute with the privileges of the user running them.  Trusted applets and trusted Java Web Start application can access the same resources to which the user has access: e.g. they can read/write the same files to which the user can read/write; they can make network connections, etc.  As a result, users should exercise caution prior to allowing signed Java applets and signed Java Web Start applications to run. 

If after being prompted to run such a signed Web Start application or signed Java applet, the user clicks "Cancel" in the security dialog (instead of “Run”), the signed applet or Web Start application will execute as untrusted, just like an unsigned applet, and in the absence of security vulnerability, will be confined to the Java sandbox.

Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible:

 

For More Information:

The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Consumers can go to http://www.java.com/en/download/installed.jsp to ensure that they have the latest version of Java running on their desktops. More information on Java Update is available at http://www.java.com/en/download/help/java_update.xml

 

Tuesday Apr 19, 2011

April 2011 Critical Patch Update Released

[Read More]

Tuesday Apr 05, 2011

Understanding the Common Vulnerability Scoring System (CVSS)

[Read More]

Tuesday Feb 22, 2011

Take Advantage of Oracle's Ongoing Assurance Effort!

[Read More]

Tuesday Feb 15, 2011

February 2011 Java SE and Java for Business Critical Patch Update Released

[Read More]

Tuesday Feb 08, 2011

Security Alert For CVE-2010-4476 Released

[Read More]

Tuesday Jan 18, 2011

January 2011 Critical Patch Update Released

[Read More]

Wednesday Dec 15, 2010

A New Threat To Web Applications: Connection String Parameter Pollution (CSPP)

[Read More]
About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
11
12
13
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today