Friday Apr 18, 2014

Security Alert CVE-2014-0160 (‘Heartbleed’) Released

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2014-0160 to address the publicly disclosed ‘Heartbleed’ vulnerability which affects a number of versions of the OpenSSL library.  Due to the severity of this vulnerability, and the fact that active exploitation of this vulnerability is reported “in the wild,” Oracle recommends that customers of affected Oracle products apply the necessary patches as soon as they are released by Oracle.

The CVSS Base Score for this vulnerability is 5.0.  This relative low score denotes the difficulty in coming up with a system that can rate the severity of all types of vulnerabilities, including the ones that constitute blended threat. 

It is easy to exploit vulnerability CVE-2014-0160 with relative impunity as it is remotely exploitable without authentication over the Internet.  However a successful exploit can only result in compromising the confidentiality of some of the data contained in the targeted systems.  An active exploitation of the bug allows the malicious perpetrator to read the memory of the targeted system on which resides the vulnerable versions of the OpenSSL library.  The vulnerability, on its own, does not allow a compromise of the availability (e.g., denial of service attack) or integrity of the targeted system (e.g., deletion of sensitive log files). 

Unfortunately, this vulnerability is very serious in that it is contained into a widely used security package, which enables the use of SSL/TLS, and the compromise of that memory can have serious follow-on consequences.  According to http://heartblead.com, the compromised data may contain passwords, private keys, and other sensitive information.  In some instances, this information could be used by a malicious perpetrator to decrypt private information that was sent months or years ago, or log into systems with stolen identity.   As a result, this vulnerability creates very significant risks including unauthorized access to systems with full user rights.

 

For more information:

 

The Advisory for Security Alert CVE-2014-0160 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-2190703.html

The ‘OpenSSL Security Bug - Heartbleed / CVE-2014-0160’ page on OTN is located at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

The ‘Heartbleed’ web site is located at http://www.heartbleed.com.  Note that this site is not affiliated with Oracle.

 

 

 

 

Thursday Apr 17, 2014

Oracle Java Cloud Service - April 2014 Critical Patch Update

Hi, this is Eric Maurice.

In addition to the release of the April 2014 Critical Patch Update, Oracle has also addressed the recently publicly disclosed issues in the Oracle Java Cloud Service.  Note that the combination of this announcement with the release of the April 2014 Critical Patch Update is not coincidental or the result of the unfortunate public disclosure of exploit code, but rather the result of the need to coordinate the release of related fixes for our on-premise customers. 

Shortly after issues were reported in the Oracle Java Cloud Service, Oracle determined that some of these issues were the result of certain security issues in Oracle products (though not Java SE), which are also licensed for traditional on-premise use.  As a result, Oracle addressed these issues in the Oracle Java Cloud Service, and scheduled the inclusion of related fixes in the following Critical Patch Updates upon completion of successful testing so as to avoid introducing regression issues in these products.

 

For more information:

The April 2014 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

More information about Oracle Software Security Assurance, including details about Oracle’s secure development and ongoing security assurance practices is located at http://www.oracle.com/us/support/assurance/overview/index.html

Tuesday Apr 15, 2014

April 2014 Critical Patch Update Released

Hello, this is Eric Maurice again.

Oracle today released the April 2014 Critical Patch Update.  This Critical Patch Update provides fixes for 104 vulnerabilities across a number of product lines including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.  A number of the vulnerabilities fixed in this Critical Patch Update have high CVSS Base Score and are being highlighted in this blog entry.  Oracle recommends this Critical Patch Update be applied as soon as possible.

Out of the 104 vulnerabilities fixed in the April 2014 Critical Patch Update, 2 were for the Oracle Database.  The most severe of these database vulnerabilities received a CVSS Base Score of 8.5 for the Windows platform to denote a full compromise of the targeted system, although a successful exploitation of this bug requires authentication by the malicious attacker.  On other platforms (e.g., Linux, Solaris), the CVSS Base Score is 6.0, because a successful compromise would be limited to the Database and not extend to the underlying Operating System.  Note that Oracle reports this kind of vulnerabilities with the ‘Partial+’ value for Confidentiality, Integrity, and Availability impact (Partial+ is used when the exploit affects a wide range of resources, e.g. all database tables).  Oracle makes a strict application of the CVSS 2.0 standard, and as a result, the Partial+ does not result in an inflated CVSS Base Score (CVSS only provides for ‘None,’ ‘Partial,’ or ‘Complete’ to report the impact of a bug).  This custom value is intended to call customers’ attention to the potential impact of the specific vulnerability and enable them to potentially manually increase this severity rating.  For more information about Oracle’s use of CVSS, see http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html.

This Critical Patch Update also provides fixes for 20 Fusion Middleware vulnerabilities.  The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5.  This score affects one remotely exploitable without authentication vulnerability in Oracle WebLogic Server (CVE-2014-2470).  If successfully exploited, this vulnerability can result in a wide compromise of the targeted WebLogic Server (Partial+ rating for Confidentiality, Integrity, and Availability.  See previous discussion about the meaning of the ‘Partial+’ value reported by Oracle). 

Also included in this Critical Patch Update were fixes for 37 Java SE vulnerabilities.  4 of these Java SE vulnerabilities received a CVSS Base Score of 10.0.  29 of these 37 vulnerabilities affected client-only deployments, while 6 affected client and server deployments of Java SE.  Rounding up this count were one vulnerability affecting the Javadoc tool and one affecting unpack200.  As a reminder, desktop users, including home users, can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version of Java.  Java SE security fixes delivered through the Critical Patch Update program are cumulative.  In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.   Oracle strongly recommends that Java users, particularly home users, keep up with Java releases and remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities. 

This Critical Patch Update also included fixes for 5 vulnerabilities affecting Oracle Linux and Virtualization products suite.  The most severe of these vulnerabilities received a CVSS Base Score of 9.3, and this vulnerability (CVE-2013-6462) affects certain versions of Oracle Global Secure Desktop. 

Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update, Oracle strongly recommends that customers apply this Critical Patch Update as soon as possible.  In addition, as previously discussed, Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update.  However, it is often the case that earlier versions of affected releases are affected by vulnerabilities fixed in recent Critical Patch Updates.  As a result, it is highly desirable that organizations running unsupported versions, for which security fixes are no longer available under Oracle Premier Support, update their systems to a currently-supported release so as to fully benefit from Oracle’s ongoing security assurance effort.

For more information:

The April 2014 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

More information about Oracle’s application of the CVSS scoring system is located at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html

An Ovum white paper “Avoiding security risks with regular patching and support services” is located at http://www.oracle.com/us/corporate/analystreports/ovum-avoiding-security-risks-1949314.pdf

More information about Oracle Software Security Assurance, including details about Oracle’s secure development and ongoing security assurance practices is located at http://www.oracle.com/us/support/assurance/overview/index.html

The details of the Common Vulnerability Scoring System (CVSS) are located at http://www.first.org/cvss/cvss-guide.html. 

Java desktop users can verify that they are running the most version of Java and remove older versions of Java by visiting http://java.com/en/download/installed.jsp.      

 

 

Thursday Apr 10, 2014

‘Heartbleed’ (CVE-2014-0160) Vulnerability in OpenSSL

Hi, this is Eric Maurice.

A vulnerability affecting certain versions of the OpenSSL libraries was recently publicly disclosed.  This vulnerability has received the nickname ‘Heartbleed’ and the CVE identifier CVE-2014-0160. 

Oracle is investigating the use of the affected OpenSSL libraries in Oracle products and solutions, and will provide mitigation instructions when available for these affected Oracle products. 

Oracle recommends that customers refer to the 'OpenSSL Security Bug - Heartbleed CVE-2014-0160' page on the Oracle Technology Network (OTN) for information about affected products, availability of fixes and other mitigation instructions.  This page will be periodically updated as Oracle continues its assessment of the situation.   Oracle customers can also open a support ticket with My Oracle Support if they have additional questions or concerns.

 

For More Information:

The CVE-2014-016 page on OTN is located at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

The Heartbleed web site is located at http://heartbleed.com/.  This site is not affiliated with Oracle and provides a list of affected OpenSSL versions.

The My Oracle Support portal can be accessed by visiting https://support.oracle.com

 

Tuesday Jan 14, 2014

January 2014 Critical Patch Update Released

Hello, this is Eric Maurice.

Oracle released the January 2014 Critical Patch Update today. This Critical Patch Update provided fixes for 144 new security vulnerabilities across a wide range of product families, including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle FLEXCUBE, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

The January 2014 Critical Patch Update provided 5 fixes for the Oracle Database. The maximum CVSS Base Score for these database vulnerabilities was 5.0. This score was for one vulnerability (CVE-2013-5853), which also happened to be the only remotely exploitable without authentication database vulnerability in this Critical Patch Update.

This Critical Patch Update provided 22 security fixes for Oracle Fusion Middleware, 19 of which were for vulnerabilities that were remotely exploitable without authentication. The most severe CVSS Base Score for these vulnerabilities is 10.0. This score is for vulnerability CVE-2013-4316 which affects Oracle WebCenter Sites (versions 11.1.1.6.1 and 11.1.1.8.0).

Oracle Hyperion received 2 new security fixes. One of these vulnerabilities (CVE-2013-3830) received a CVSS Base Score of 7.1, which denotes a complete compromise if successfully exploited, but also requires a single authentication from the attacker.

This Critical Patch Update also included a number of fixes for Oracle applications. 4 security fixes are for Oracle E-Business Suite (one of the vulnerabilities may be remotely exploitable without authentication), 16 security fixes are for Oracle Supply Chain Products Suites (6 of the vulnerabilities may be remotely exploitable without authentication), 17 security fixes are for Oracle PeopleSoft Enterprise (10 of the vulnerabilities may be remotely exploitable without authentication). 2 security fixes are for Oracle Siebel CRM (one of the vulnerabilities may be remotely exploitable without authentication), etc.

This Critical Patch Update also provided 36 security fixes for Java SE. 34 of these Java SE vulnerabilities may be remotely exploitable without authentication. Only 3 of these vulnerabilities are relevant to Java SE or JSSE server deployments, but are not server side specific (that is they also affect client deployments). The maximum CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0. This score affects 5 vulnerabilities (one of them being applicable to server deployments, that is, it can be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets).

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible. While a successful exploitation of a number of the vulnerabilities addressed by this Critical Patch Update may not be possible in many customers’ deployments because the affected component is not installed or cannot be easily accessed by malicious attacker, a prompt application of the Critical Patch Update will help ensure that “security in depth” is maintained in the environment. IT environments are dynamic in nature, and systems configurations and security controls (e.g., network access control policies) often change over time. Applying the Critical Patch Update and other vendors’ relevant security patches helps ensure that the related security controls continue to work, should one of the systems fail or its control be circumvented during an attack.

In 2014, the Critical Patch Update program remains Oracle’s primary mechanism for the release of security fixes across all Oracle product families. The recent inclusion of Java SE in the standard Critical Patch Update release schedule has resulted in an increase in the relative size of each Critical Patch Update release since Java SE’s inclusion in October 2013. From a Java SE perspective, this inclusion also meant that security fixes are released for Java SE in 4 annual scheduled releases (as opposed to 3 annual releases prior to the Oracle acquisition of Sun Microsystems.) The schedule of the Critical Patch Update (on the Tuesday closest to the 17th of the months of January, April, July, and October), as well as the frequency of this security patching schedule, is based largely on customers’ feedback who desire a balance between a high level of predictability for managing their systems as well as a reasonable frequency in the release of security patches so as to maintain a proper security posture. As such, from an Oracle perspective, “time to fix (length of time between discovery of the bug or initial reporting and delivery of the fix) is not as relevant a figure as “time to patch” (length of time between discovery of the bug or initial reporting and application of the fix by all affected customers).

For More Information:

The January 2014 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html.

Tuesday Oct 15, 2013

October 2013 Critical Patch Update Released

Hello, this is Eric Maurice.

Oracle today released the October 2013 Critical Patch Update.  As previously announced, this Critical Patch Update is the first one to integrate Java SE.  In other words, moving forward planned security fixes for Oracle products, including Java SE, will released on the same schedule.  As a result, the average number of fixes delivered through each future Critical Patch Update is, at least for the foreseeable future, likely to be greater than in previous Critical Patch Updates.   As an additional reminder, Oracle publishes the release dates of future Critical patch Updates a year in advance.  The release dates for the next 4 Critical Patch Update releases are located on the Security Alerts and Critical Patch Updates page at http://www.oracle.com/technetwork/topics/security/alerts-086861.html.

Today’s Critical Patch Update provides 127 new security fixes across a wide variety of product families including:  Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle iLearning, Oracle industry Applications, Oracle FLEXCUBE, Oracle Primavera, Oracle Java SE, Oracle and Sun Systems Products Suite,  Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 127 new fixes, 2 are specifically for Oracle Database.  The maximum CVSS Base Score for the database vulnerabilities is 5.5.  One of these database vulnerabilities has already been fixed in all supported version and platform combinations.  The other vulnerability is remotely exploitable without authentication.  Fixing this second vulnerability requires that customers configure network encryption between their clients and servers if data is sent over untrusted networks.   Note that Oracle recently updated its licensing agreement so that network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.  Finally note that 2 Oracle Fusion Middleware fixes are applicable to database deployments and as such are listed in the Database Risk Matrix of the Critical Patch Update advisory.

Out of these 127 fixes, 51 are for Java SE.  50 of the Java SE vulnerabilities fixed in this Critical patch Update are remotely exploitable without authentication.  The maximum CVSS Base Score for these Java SE vulnerabilities is 10.0, which denotes a complete takeover of the targeted system (down to the operating system) in instances where Java executes with administrative privileges (i.e. system privileges).  Out of these 51 Java vulnerabilities, only 8 are applicable to client and server deployments of Java.  40 apply to client deployment of Java, including one which is only exploitable during Java client deployment.  One of the vulnerabilities applies to the JHat developer tool.  The last 2 vulnerabilities apply to sites that run the Javadoc tool as a service.   For more information about these Java vulnerabilities, see the security matrix for Java SE located on the Critical Patch Update Advisory.

As a reminder, desktop users can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version of Java.  Java SE security fixes delivered through the Critical Patch Update program are cumulative.  In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.   Oracle strongly recommends that Java users, particularly home users, keep up with Java releases so as to protect themselves against malicious exploitation of Java vulnerabilities. 

This Critical Patch Update release also provides 17 security fixes for Oracle Fusion Middleware, 12 of which are for vulnerabilities which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5. 

4 new security fixes are for Oracle Enterprise Manager Grid Control.  All of these Enterprise Manager Grid Control vulnerabilities are remotely exploitable without authentication, and the maximum CVSS Base Score for these vulnerabilities is 4.3.

This Critical Patch Update release also provides 22 new security fixes for Oracle applications as follows: 1 for Oracle E-Business Suite, 2 for Oracle Supply Chain Products Suite, 8 for PeopleSoft Enterprise, 9 for Siebel CRM, and 2 for iLearning.  It furthermore provides 6 new security fixes for Oracle Industry Applications and 1 for Oracle Financial Services Software.  

Finally, this Critical Patch Update delivers 12 new security fixes for the Oracle and Sun Systems Products Suite.   5 of these vulnerabilities are remotely exploitable without authentication.   The maximum CVSS Base Score for these vulnerabilities is 6.9.

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible.  To a large extent, maintaining a proper security posture requires that organizations keep up to date with Oracle’s security patches and supported releases so as to take advantage of Oracle’s ongoing security assurance effort. 

For More Information:

The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

The Advisory for the October 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html. 

Desktop users can make sure they run the most recent version of Java by visiting http://java.com/en/download/installed.jsp.

Tuesday Jul 16, 2013

July 2013 Critical Patch Update Released

Hello, this is Eric Maurice.

Oracle just released the July 2013 Critical Patch Update.  This Critical Patch Update provides 89 new security fixes across a wide range of product families: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle industry Applications, Oracle Supply Chain Products Suite, Oracle VM, Oracle MySQL, and Oracle and Sun Systems Products Suite.

As a reminder, security fixes for Java SE will continue to be released on a separate Critical Patch Update schedule until October this year.  Starting with the October 2013 Critical Patch Update, Java SE security fixes will be released on the normal Critical Patch Update schedule, along with the security fixes for all other Oracle products, thus likely to increase the total number of security fixes released with each Critical Patch Update.

Out of the 89 new security fixes included with this Critical Patch Update, 6 are for Oracle Database.  One of these database vulnerabilities is remotely exploitable without authentication.  The highest CVSS Base Score for these database vulnerabilities is 9.0.  This score is related to a vulnerability (CVE-2013-3751) which affects the XML Parser on Oracle Database 11.2.0.2 and 11.2.0.3. 

21 of the fixes included in this Critical Patch Update are for Oracle Fusion Middleware.  16 of these vulnerabilities are remotely exploitable without authentication, and the highest CVSS Base Score for these vulnerabilities is 7.5.  This score affects a JRockit vulnerability (CVE-2013-2461), which in fact is related to a series of Java vulnerabilities fixed with the June 2013 Critical Patch Update for Java SE and applicable to JRockit.   With the inclusion of Java in the normal Critical Patch Update schedule starting in October 2013, the release of JRockit and Java security fixes will be integrated.  Note also that with this Critical Patch Update and the previously-released Critical Patch Update, Oracle has been working on addressing a series of known Apache bugs in Oracle HTTP Server.  Finally, note that a number of the Oracle Fusion Middleware vulnerabilities have already been fixed on all supported versions.  The listing of these vulnerabilities in the Oracle Fusion Middleware risk matrix should provide an additional impetus for users of affected versions to update their systems to a more secure release.

The Oracle and Sun Systems Products Suite receive a total of 16 new security fixes.  8 of the vulnerabilities are remotely exploitable without authentication, and the maximum CVSS base Score for these vulnerabilities is 7.8.

Oracle MySQL receives 18 new security fixes.  2 of the MySQL vulnerabilities are remotely exploitable without authentication.  The highest CVSS Base Score for these bugs is 6.8. 

As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible.  In addition, as previously discussed, Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update.  However, it is often the case that earlier versions of affected releases are affected by vulnerabilities fixed in recent Critical Patch Updates.  As a result, it is highly desirable that organizations running unsupported versions, for which security fixes are not available under Oracle Premier Support, to update their systems to a current release so as to fully benefit from Oracle’s ongoing security assurance effort (see for example Ovum’s Paper: Avoiding Security Risks with Regular Patching and Support).

 

For More Information:

The July 2013 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html  

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html. 

Tuesday Jun 18, 2013

June 2013 Critical Patch Update for Java SE Released

Hello, this is Eric Maurice again.

Oracle today released the June 2013 Critical Patch Update for Java SE.  This Critical Patch Update provides 40 new security fixes.  37 of these vulnerabilities are remotely exploitable without authentication.

34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments.  The highest CVSS Base Score for these client-only fixes is 10.0. 

 4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments.  The most severe of these vulnerabilities has received a CVSS Base Score of 7.5. 

One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally. 

Finally, one of the fixes included in this Critical Patch Update affects the Javadoc tool and the documents it creates.  Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection.  This means that this vulnerability (CVE-2013-1571, also known as CERT/CC VU#225657) can only be exploited through Javadoc-generated HTML files hosted on a web server.  If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers.  This vulnerability has received a CVSS Base Score of 4.3.  With the release of this Critical Patch Update, Oracle has fixed the Javadoc tool so that it doesn’t produce vulnerable pages anymore, and additionally produced a utility, the “Java API Documentation Updater Tool,” to fix previously produced (and vulnerable) HTML files.  More information about this vulnerability is available on the CERT/CC web site at http://www.kb.cert.org/vuls/id/225657. 

Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities.  Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way. 

Desktop users can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version.  As a reminder, security fixes delivered through the Critical Patch Update for Java SE are cumulative: in other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.

 

For More Information:

The Advisory for the June 2013 Critical Patch Update for Java is located at http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

More information about the Javadoc tool is available at http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html

Thursday May 30, 2013

Maintaining the security-worthiness of Java is Oracle’s priority

Hi my name is Nandini Ramani, I lead the software development team building the Java platform.  My responsibilities span across the entire Java platform and include platform security. 

Over the past year, there have been several reports of security vulnerabilities in Java, primarily affecting Java running in Web browsers. This blog entry outlines the steps Oracle has taken to address issues with the security-worthiness of Java in web browsers and elsewhere following the acquisition of Sun Microsystems.

Whenever Oracle makes an acquisition, acquired product lines are required to conform to Oracle policies and procedures, including those comprising Oracle Software Security Assurance.  As a result, for example, the Java development organization had to adopt Oracle’s Security Fixing Policies, which among other things mandate that issues must be resolved in priority order and addressed within a certain period of time.

As a result of adopting these stricter procedures, as well as increasing investments in Java overall by Oracle, Java development significantly accelerated the production of security fixes.  Recently-released Critical Patch Updates for Java SE have contained a historically high number of security fixes.  In addition, Oracle decided to publish an additional security release in 2013. The April 2013 Critical Patch Update for Java SE will bring Java to four  security releases in 2013 as opposed to the three initially planned.  As a reminder, the February 2012 Critical Patch Update for Java SE provided 14 security fixes, the June 2012 release 14, the October 2012 release 30 (thus the total number of new security fixes provided through Critical Patch Updates for Java in 2012 was 58).  In contrast to these numbers, the February 2013 security releases provided 55 new security fixes, and the April 2013 Critical Patch Update for Java SE provided 42 new security fixes, bringing the total number of security fixes released through the Critical Patch Update for Java in the first half of 2013 to 97.

In addition to accelerating the release of security fixes for Java SE, Oracle’s additional investments have provided the organization with the ability to more quickly respond to reports of 0-days and other particularly severe vulnerabilities.  Java development has gained the ability to produce and test individual security fixes more quickly as evidenced by the quick releases of the most recent Java Security Alerts.  In other words, the procedural and technical changes implemented throughout Java development have enabled the organization to make improvements affecting both the Critical Patch Update program (scheduled release of a greater number of security fixes) and the Security Alert program (faster release of unscheduled security fixes in response to 0-days or particularly severe vulnerabilities).

Starting in October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products.  In other words, Java will now issue four annual security releases.  Obviously, Oracle will retain the ability to issue emergency “out of band” security fixes through the Security Alert program.

The implementation of Oracle Software Security Assurance policies and practices by Java development is also intended to defend against the introduction of new vulnerabilities into the Java code base.  For example, the Java development team has expanded the use of automated security testing tools, facilitating regular coverage over large sections of Java platform code.  The Java team has engaged with Oracle’s primary source code analysis provider to enhance the ability of the tool to work in the Java environment.  The team has also developed sophisticated analysis tools to weed out certain types of vulnerabilities (e.g., fuzzing tools).

Oracle is also addressing the limitations of the existing Java in browser trust/privileges model.  The company has made a number of product enhancements to  default security and provide more end user control over security.  In JDK 7 Update 2, Oracle added enhanced security warnings before executing applets with an old Java runtime. In JDK 7 Update 6, Oracle began dynamically updating information about security baselines – information used to determine if the current version of Java contains the latest security fixes available.  In JDK 7 Update 10, Oracle introduced a security slider configuration option, and provided for automatic security expiration of older Java versions (to make sure that users run the most recent versions of Java with a more restricted trust model than in older versions).  Further, with the release of JDK 7 Update 21, Oracle introduced the following changes:
  (1) The security model for signed applets was changed.  Previously, signing applets was only used to request increased application privileges.  With this update, signing applets establishes identity of the signer, but does not necessarily grant additional privileges.  As a result, it is now possible to run signed applets without allowing them to run outside the sandbox, and users can prevent the execution of any applets if they are not signed. 
  (2) The default plug-in security settings were changed to further discourage the execution of unsigned or self-signed applets.  This change is likely to impact most Java users, and Oracle urges organizations whose sites currently contain unsigned Java Applets to sign those Applets according to the documented recommendations.  Note, however, that users and administrators will be able to specifically opt out of this setting and choose a less secure deployment mode to allow for the execution of unsigned applets.  In the near future, by default, Java will no longer allow the execution of self-signed or unsigned code.
  (3) While Java provides the ability to check the validity of signed certificates through Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) calls before the execution of signed applets, the feature is not enabled by default because of a potential negative performance impact.  Oracle is making improvements to standardized revocation services to enable them by default in a future release.  In the interim, we have improved our static blacklisting to a dynamic blacklisting mechanism including daily updates for both blacklisted jar files and certificates.

Finally, while the security problems affecting Java in Internet browsers have generally not impacted Java running on servers, Oracle has found that the public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organizations committed to Java applications running on servers.  As a result, Oracle is taking steps to address the security implications of the wide Java distribution model, by further dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments).  With Java 7 update 21, Oracle has introduced a new type of Java distribution: “Server JRE.” 

Oracle has removed plugins from the Server JRE distribution to reduce attack surface but also to reduce customer confusion when evaluating server exploitation risk factors.  In the future, Oracle will explore stronger measures to further reduce attack surface including the removal of certain libraries typically unnecessary for server operation.  Such significant measures cannot be implemented in current versions of Java since they would violate current Java specifications, but Oracle has been working with other members of the Java Community Process to enable such changes in future versions of Java.

In addition, Oracle wants to improve the manageability of Java in enterprise deployments.  Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization.  The policy feature will, for example, allow  system administrators to restrict execution of Java applets to those found on specific hosts (e.g., corporate server assets, partners, etc) and thus reduce the risk of malware infection resulting from desktops accessing unauthorized and malicious hosts. 

It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment.  Oracle’s effort has already enabled the Java development team to deliver security fixes more quickly, resulting in fewer outstanding security bugs in Java.

For more information:
More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html
Java security documentation is located at http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html
Release notes for JDK 7 releases are located at http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html

Tuesday Apr 16, 2013

April 2013 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle today released two Critical Patch Updates: the April 2013 Critical Patch Update and the April 2013 Critical Patch Update for Java SE.  The previous blog entry provided a summary of the April 2013 Critical Patch Update, and this entry will discuss the content of the Critical Patch Update for Java SE.

The April 2013 Critical Patch Update for Java SE provides 42 new security fixes.  39 of the vulnerabilities fixed in this Critical Patch Update are remotely exploitable without authentication.  The maximum CVSS Base Score for these vulnerabilities is 10.0, and this score affect 19 different vulnerabilities. 

Out of the 42 vulnerabilities, only 2 can affect server deployments of Java.  Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited. 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java Autoupdate

For More Information:

The advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html.

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
  • Oracle
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
11
12
13
14
16
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today