Wednesday Dec 14, 2011

Keeping Up With Newer Releases is Good Security Practice

Hi, this is Eric Maurice again.

On October 18th 2011, Oracle released the October 2011 Critical Patch Update.  As usual, this Critical Patch Update included a number of fixes across a wide range of products, including the Oracle Database.  In the blog entry summarizing the Critical Patch Update, I highlighted the fact that the number of fixes released for the Oracle Database were expected to remain low and made the following statement:

“As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base.  Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced.  This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years.  In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code.  In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments.”

In today’s follow-up, we are going to discuss the various patching options available to Oracle Database customers and go over the security benefits resulting from keeping up with the most recent releases (patch sets and major releases) of the Oracle Database.  Note that many of the concepts discussed in this blog are also applicable for Oracle Fusion Middleware and Oracle Enterprise Manager products.

In order to provide the best security posture to all Oracle customers, Oracle’s security fixing policies generally require Oracle to fix security vulnerabilities in severity order: in other words, Oracle tries to fix the most severe vulnerabilities first.

Oracle provides Database security and non-security fixes in major releases, Patch Sets, and Patch Set Updates (PSUs), whereas traditional Critical Patch Update patches (not PSUs) include only security fixes (more details about the content of each of these types of patches follow). 

Let’s have a more detailed look into the content that goes in the different types of Oracle patches and updates and how this content might affect an organization’s patching strategy.

Traditional Critical Patch Update patches include only security vulnerability related content.  They generally provide fixes for higher risk security vulnerabilities.  Oracle’s focus with these patches is to address higher risk issues while ensuring that customers’ environments remain stable after patch application.  These patches include fixes for vulnerabilities, which can be directly exploitable, e.g. buffer overflows, and which could ultimately result in the takeover of the targeted system. 

Traditional Critical Patch Update patches typically do not address issues that cannot be directly exploited (e.g. as violation of least privilege policy and other security in depth fixes) unless they could aggravate the impact of another directly exploitable issue.  They also do not provide fixes for issues for which there are no exploits but which are otherwise against safe secure coding principles.  For example, we routinely fix issues such as specific uninitialized variables, which have no known security exploits, but for which we are concerned that someone might find a way to exploit.  

Traditional Critical Patch Update patches also do not include fixes for certain exploitable issues that have very low risk when the fixes could result in customer applications failing to work properly without modification.  They also do not include fixes for exploitable issues that are very low risk (such as when the exploitation window is very narrow, for example when limited to a short period during installation).  In addition, Critical Patch Updates typically do not include fixes that require large scale code modification or for which there is no reasonable patching mechanism.

Again, Oracle’s focus with the traditional Critical Patch Update patches is to address higher risk issues while ensuring that their application will not cause customers to experience significant impact in production.

Patch Set Updates (PSUs) are another type of bundled patches distributed under the Critical Patch Update program.  In addition to containing all the fixes contained in the traditional Critical Patch Update bundles, PSUs also contain non-security fixes for issues that have been reported by multiple customers. 

These non security PSU fixes are designed to provide high-reward / low-risk fixes, and are an expression of Oracle’s overall proactive support strategy.  Before their inclusion in a PSU, Oracle will have determined that these non-security fixes have already been installed at a number of customer sites with no reported negative effects.  A Patch Set Update is denoted by incrementing the 5th place in the version string (e.g. Oracle Database Server 11.2.0.3.1). 

Next, let’s have a look at Patch Sets.  A Patch Set release is identifiable by the 4th place in the version string (For example, 11.2.0.2.0, 11.2.0.3.0).  Patch Sets contain all the PSU fixes as well as additional content.  This additional content includes reworked security PSU fixes to make them more extensive or to cover more in-depth issues.  It can also include additional fixes for security in-depth issues, including fixes for issues such as uninitialized variables, and other issues related to unsafe coding practices, which are not known to be exploitable but nevertheless have been fixed by Oracle to prevent their use in case they were ever discovered by an attacker. 

Major releases (denoted by the number before and the digit after the “dot” in the version number, e.g. for Oracle Database 11g Release 1 the major release would be the "11.1" in the patch set 11.1.0.7) contain all the above Patch Set fixes as well as additional reworked security fixes to make them more extensive or to cover more in-depth issues.  Major releases also contain many additional fixes for security in-depth issues as well as major architectural fixes that improve security in a comprehensive manner.  In addition to providing new product features, major releases will also contain fixes that were not delivered in Patch Sets or PSUs because of Oracle’s concerns about negative impact on existing applications without code or significant configuration changes.

Note again that because of Oracle’s policies governing the sequencing of the security fixes, it is possible that certain security fixes will be included in Patch Sets or product releases distributed before the relevant Critical Patch Update.  In other words, in some instances the fix for a given vulnerability may be included in a Patch Set or a product release, before the vulnerability is fixed in a consequent Critical Patch Update.  Furthermore, though we try to avoid such a situation, there are instances where security fixes cannot be backported to previous but still supported releases because the nature of the fix is too complex, may require an in-depth re-engineering of the code, or may require extensive code or configuration changes by the customers.  In such instances, the security fixes may only be available through a patchset or more likely through a major release.

Oracle recommends that, to optimize their security posture, as well as to fully take advantage of Oracle’s proactive support model (through the release of low risk fixes for commonly encountered issues), customers have a plan that includes regular patch sets and release upgrades coupled with quarterly patch set updates.  Such upgrades are provided without additional charge to customers with Oracle Premier Support

These upgrades provide not only critical security benefits, even in instances where customers apply ALL the Critical Patch Updates in a timely fashion, but also provide tangible production benefits as customers on recent releases are less likely to experience production issues, that have been reported by other customers, and for which Oracle produced a fix.

For more information:

Tuesday Oct 18, 2011

October 2011 Critical Patch Updates Released

Hello, this is Eric Maurice.

Oracle just released the October 2011 Critical Patch Update and the Critical Patch Update for Java SE.  As explained in previous blogs, because of commitments made before the completion of the Sun acquisition, the security patches for Java SE are typically released on a different schedule than other Oracle products. However, today, the release date of the Critical Patch Update for Java SE coincided with the regular Critical Patch Update release schedule.

The October 2011 Critical Patch Update for Java SE provides fixes for 20 new security vulnerabilities.  The highest CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0, and it is applicable to 6 vulnerabilities.  In addition, one of these 20 new fixes is for the “BEAST” exploit.  “BEAST” (Browser Exploit Against SSL/TLS) can potentially provide a malicious hacker the ability to bypass SSL/TLS encryption and ultimately decrypt potentially sensitive web traffic.  This exploit was recently demonstrated at a security conference.  The vulnerability related to this exploit is CVE-2011-3389, and it has a CVSS Base Score of 4.3.  Note also that beginning with this Critical Patch Update, security fixes for Oracle JRockit will no longer be released with the Oracle Fusion Middleware fixes but instead will be released along with Java SE fixes in the Critical Patch Update for Java SE.  The primary benefit of this change is that Oracle JRockit will now receive Java-related fixes as soon as these fixes are released by Oracle (JRockit fixes were previously distributed with other Oracle Fusion Middleware fixes in the next Critical Patch Update that followed the Critical Patch Update for Java SE).

The October 2011 Critical Patch Update provides fixes for 57 new security vulnerabilities across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Linux and Virtualization, and Oracle Sun product suite.  None of the 57 new fixes are applicable for client-only deployments. 

Of the 57 new fixes, 5 are for Oracle Database Server.  None of the Oracle Database Server vulnerabilities addressed in this Critical Patch Update are remotely exploitable without authentication.  The most severe vulnerability affecting the Oracle Database Server products suite affects Oracle Application Express (APEX), and it has received a CVSS Base Score of 6.5.  None of these fixes are applicable to client-only deployments.

As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base.  Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced.  This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years.  In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code.  In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments. 

22 out of the 57 fixes provided with this Critical Patch Update are for the Oracle Sun product suite.  The most severe of these vulnerabilities affect the LDAP Library in Sun Solaris (CVE-2011-3508) and has received a CVSS Base Score of 9.3.  Oracle recommends that Solaris customers apply this Critical Patch Update as soon as possible.


Finally, please note that this Critical Patch Update lists a fix for Oracle Linux.  Starting with this Critical Patch Update, security fixes in proprietary components of Oracle Linux will be listed in the Critical Patch Update advisory.    However, the security fixes for the code generated by the Linux community, as well as those for proprietary Oracle components will continue to be released through the El-errata documentation, in the same fashion as before.

For more information:

 

 

Thursday Sep 15, 2011

Security Alert for CVE-2011-3192 Released

Hi, this is Eric Maurice.

Oracle just released a Security Alert for CVE-2011-3192, also known as “Apache Killer.”  This vulnerability was recently discovered in the Apache HTTP Server and publicly disclosed.  It affects a number of Oracle products through their implementation of Apache, including Oracle Application Server and Oracle Fusion Middleware (a list of the affected products is provided in the Security Alert Advisory). 

The National Vulnerability Database has reported a CVSS Base Score for this vulnerability of 7.8 indicating a complete Operating System denial of service (DOS); however a complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete DOS of the Oracle HTTP Server but not the Operating System. 

This vulnerability allows a malicious attacker to hang the Oracle HTTP Server product via an easy-to-deploy, unauthenticated network attack.  Due to the criticality of this vulnerability and particularly its ease of exploitation, Oracle decided to release fixes for the affected and supported products as soon as the testing for these fixes was completed, before the release of the next scheduled Critical Patch Update on October 18th 2011. 

Oracle recommends that all affected customers apply the fixes provided by this Security Alert as soon as possible in order to maintain their “security in depth” posture, even if they have applied some of the workarounds that have been published on the Internet, as  Oracle has found that many of these workarounds can cause regression issues across the stack. 

This recommendation is also applicable to other vendors’ products which may contain this vulnerability as a result of their implementation of the Apache HTTP Server.  Organizations should quickly determine which of their systems is vulnerable, obtain the necessary patches from their respective suppliers, and plan to quickly apply these patches, especially in external facing systems.

For More Information:

Tuesday Jul 19, 2011

July 2011 Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle just released the July 2011 Critical Patch Update.  This Critical Patch Update provides fixes for 78 new security vulnerabilities in a wide range of product families including: Oracle Database Server, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, and Oracle Sun Products. 

Out of these 78 vulnerabilities, 13 affect Oracle Database Server, including one affecting Oracle Database Vault and 2 affecting client-only deployments.  The CVSS Base Scores for these Database Server vulnerabilities range between 1.3 and 7.1. 

This Critical Patch Update also provides fixes for 3 security flaws affecting Oracle Secure Backup.  The highest CVSS Base Score for the vulnerabilities affecting Secure Backup is 10.0.  Oracle Secure backup customers are therefore urged to apply this Critical Patch Update as soon as possible.

In addition, 7 fixes are provided for Oracle Fusion Middleware.  The highest CVSS Base Score for vulnerabilities affecting Oracle Fusion Middleware is 10.0.  This CVSS Base Score is related to previously released Java SE security fixes applicable to JRockit.  Note again that Java SE security fixes continue to be issued on a separate Critical Patch Update schedule (the schedule for the Critical Patch Updates for Java SE and all other Oracle products is posted at http://www.oracle.com/technetwork/topics/security/alerts-086861.html).

18 security fixes are provided for Oracle Enterprise Manager Grid Control.  The CVSS Base Scores for the Enterprise Manager Grid Control vulnerabilities fixed in this Critical Patch Update range between 4.3 and 6.8. 

23 new security fixes are provided for the Oracle Sun Product Suite, including Oracle OpenSSO, Solaris, Oracle GlassFish Server, etc.    The CVSS Base Scores for the Oracle Sun Product Suite vulnerabilities fixed in this Critical Patch Update range between 1.7 and 10.0. 

With the addition of the Sun products, Oracle Software Security Assurance programs extend to the software components of hardware products, including firmware.  Firmware and other hardware-related security fixes are included in the Critical Patch Updates.  But the application of Oracle Software Security Assurance by the former hardware divisions of Sun does not end with the Critical Patch Update and Security Alert programs! 

While, before the acquisition, there were differences between the security practices of the various hardware security groups at Sun (e.g. differences between Solaris, Development Tools, Volume Systems, Enterprise Systems, Disk Storage divisions, etc.), these security practices are now integrated under Oracle Software Security Assurance guidance.  For example, security release criteria (i.e. security items in the mandatory checklist before allowing a software product to become GA) are applied uniformly across all Hardware Systems divisions.  Also, the development teams across the Hardware Systems division have access to a broader set of security tool sets, including static analysis tools.  These changes will help further strengthen the security quality of the code produced by these groups. 

Oracle Software Security Assurance programs affect ALL Oracle products (and their respective development organizations) and help ensure consistency in coding practices, security reporting, etc. resulting in effective information sharing between Oracle groups.  This is particularly important because customers will reap security benefits when purchasing Oracle-engineered systems (e.g. Exadata, Exalogic, , etc.)  as opposed to getting multi-vendor bundles (or attempting to integrate complex systems from multiple vendor by themselves.)  For example, the existence of consistent and extended security checklists when bringing Oracle solutions together help ensure security integrity across the solution stack being offered to customers, as customers need not rely upon the consistency of multiple vendors’ security assurance programs. 

As always, Oracle recommends that customers review the risk matrices included in the Critical Patch Update Advisory to determine whether these fixes are relevant to them and, if so, determine the potential risk these vulnerabilities create in their environment, and ultimately determine their patching priority.  As a reminder, Oracle recently started to issue a plain-English version of the risk matrices to help customers who may not yet be familiar with CVSS get accustomed to the Standard.  In addition, a technical white paper is available on Oracle’s web site to help customers come up with a repeatable process to deal with security patches in their environment.

 

For more Information:

·         The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

·         More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

 

Tuesday Jun 07, 2011

June 2011 Java SE Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle just released the June 2011 Critical Patch Update for Java SE. Today’s Java Critical Patch Update provides fixes for 17 new security vulnerabilities. 

Out of these 17 vulnerabilities, 9 have received a CVSS Base Score of 10.0.  This means that, in case of successful exploitation of any of these vulnerabilities, a complete compromise of the targeted system is possible.  Per Oracle policies, we report the highest CVSS score across all possible platforms.  In the above example, this means that the reported CVSS score is 10.0 to reflect the practice of many Windows users of running their systems with Administrative privileges.  On other operating systems (e.g. Linux, Unix), and when Java is executed by users with limited privileges, the CVSS score for these vulnerabilities would be 7.5 to reflect  a compromise of the Java application, but not a complete compromise down to the OS layer.  The CVSS Base Scores for the remaining 8 vulnerabilities fixed in this Java Critical Patch Update range from 2.6 to 7.6.

1 of these 17 vulnerabilities is specific to server deployment of Java.  This means that this vulnerability can only be exploited by supplying malicious input to APIs in the specified Component (e.g. through a Web Service).  It cannot be exploited through the use of Java Web Start applications or Java applets.

Out of these 17 vulnerabilities, 5 affect client and server deployments of Java.  This means that these vulnerabilities can be remotely exploited by supplying malicious data to APIs in the affected component of the server or be exploited through untrusted Java Web Start applications and untrusted Java applets of the clients.  (See discussion of trusted and untrusted applications below.)   11 of the vulnerabilities fixed in this Critical Patch Update affect client-only deployments.  This means that these vulnerabilities can only be exploited through untrusted Java Web Start applications and untrusted Java applets.

Java is designed to execute untrusted Java Web Start applications and untrusted applets in the Java sandbox with limited privileges.  However, if successfully exploited, the vulnerabilities affecting client deployments fixed in this Critical Patch Update can escape the sandbox, and in some instances (as denoted by a CVSS Base Score of 10.0), result in the full compromise of the targeted system.

Two conditions are required before Java applets or Java Web Start applications are considered trusted.  They have to be signed, and the user is required to click "Run" in response to a security dialog prior to their execution.  In other words, clicking "Run" makes the signed applet or signed Java Web Start application "trusted". When trusted, such Java Web Start applications and Java applets can run outside the sandbox and will execute with the privileges of the user running them.  Trusted applets and trusted Java Web Start application can access the same resources to which the user has access: e.g. they can read/write the same files to which the user can read/write; they can make network connections, etc.  As a result, users should exercise caution prior to allowing signed Java applets and signed Java Web Start applications to run. 

If after being prompted to run such a signed Web Start application or signed Java applet, the user clicks "Cancel" in the security dialog (instead of “Run”), the signed applet or Web Start application will execute as untrusted, just like an unsigned applet, and in the absence of security vulnerability, will be confined to the Java sandbox.

Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible:

 

For More Information:

The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Consumers can go to http://www.java.com/en/download/installed.jsp to ensure that they have the latest version of Java running on their desktops. More information on Java Update is available at http://www.java.com/en/download/help/java_update.xml

 

Tuesday Apr 19, 2011

April 2011 Critical Patch Update Released

[Read More]

Tuesday Apr 05, 2011

Understanding the Common Vulnerability Scoring System (CVSS)

[Read More]

Tuesday Feb 22, 2011

Take Advantage of Oracle's Ongoing Assurance Effort!

[Read More]

Tuesday Feb 15, 2011

February 2011 Java SE and Java for Business Critical Patch Update Released

[Read More]

Tuesday Feb 08, 2011

Security Alert For CVE-2010-4476 Released

[Read More]
About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« August 2015
SunMonTueWedThuFriSat
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today