Tuesday Jul 16, 2013

July 2013 Critical Patch Update Released

Hello, this is Eric Maurice.

Oracle just released the July 2013 Critical Patch Update.  This Critical Patch Update provides 89 new security fixes across a wide range of product families: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle industry Applications, Oracle Supply Chain Products Suite, Oracle VM, Oracle MySQL, and Oracle and Sun Systems Products Suite.

As a reminder, security fixes for Java SE will continue to be released on a separate Critical Patch Update schedule until October this year.  Starting with the October 2013 Critical Patch Update, Java SE security fixes will be released on the normal Critical Patch Update schedule, along with the security fixes for all other Oracle products, thus likely to increase the total number of security fixes released with each Critical Patch Update.

Out of the 89 new security fixes included with this Critical Patch Update, 6 are for Oracle Database.  One of these database vulnerabilities is remotely exploitable without authentication.  The highest CVSS Base Score for these database vulnerabilities is 9.0.  This score is related to a vulnerability (CVE-2013-3751) which affects the XML Parser on Oracle Database 11.2.0.2 and 11.2.0.3. 

21 of the fixes included in this Critical Patch Update are for Oracle Fusion Middleware.  16 of these vulnerabilities are remotely exploitable without authentication, and the highest CVSS Base Score for these vulnerabilities is 7.5.  This score affects a JRockit vulnerability (CVE-2013-2461), which in fact is related to a series of Java vulnerabilities fixed with the June 2013 Critical Patch Update for Java SE and applicable to JRockit.   With the inclusion of Java in the normal Critical Patch Update schedule starting in October 2013, the release of JRockit and Java security fixes will be integrated.  Note also that with this Critical Patch Update and the previously-released Critical Patch Update, Oracle has been working on addressing a series of known Apache bugs in Oracle HTTP Server.  Finally, note that a number of the Oracle Fusion Middleware vulnerabilities have already been fixed on all supported versions.  The listing of these vulnerabilities in the Oracle Fusion Middleware risk matrix should provide an additional impetus for users of affected versions to update their systems to a more secure release.

The Oracle and Sun Systems Products Suite receive a total of 16 new security fixes.  8 of the vulnerabilities are remotely exploitable without authentication, and the maximum CVSS base Score for these vulnerabilities is 7.8.

Oracle MySQL receives 18 new security fixes.  2 of the MySQL vulnerabilities are remotely exploitable without authentication.  The highest CVSS Base Score for these bugs is 6.8. 

As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible.  In addition, as previously discussed, Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update.  However, it is often the case that earlier versions of affected releases are affected by vulnerabilities fixed in recent Critical Patch Updates.  As a result, it is highly desirable that organizations running unsupported versions, for which security fixes are not available under Oracle Premier Support, to update their systems to a current release so as to fully benefit from Oracle’s ongoing security assurance effort (see for example Ovum’s Paper: Avoiding Security Risks with Regular Patching and Support).

 

For More Information:

The July 2013 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html  

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html. 

Tuesday Jun 18, 2013

June 2013 Critical Patch Update for Java SE Released

Hello, this is Eric Maurice again.

Oracle today released the June 2013 Critical Patch Update for Java SE.  This Critical Patch Update provides 40 new security fixes.  37 of these vulnerabilities are remotely exploitable without authentication.

34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments.  The highest CVSS Base Score for these client-only fixes is 10.0. 

 4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments.  The most severe of these vulnerabilities has received a CVSS Base Score of 7.5. 

One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally. 

Finally, one of the fixes included in this Critical Patch Update affects the Javadoc tool and the documents it creates.  Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection.  This means that this vulnerability (CVE-2013-1571, also known as CERT/CC VU#225657) can only be exploited through Javadoc-generated HTML files hosted on a web server.  If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers.  This vulnerability has received a CVSS Base Score of 4.3.  With the release of this Critical Patch Update, Oracle has fixed the Javadoc tool so that it doesn’t produce vulnerable pages anymore, and additionally produced a utility, the “Java API Documentation Updater Tool,” to fix previously produced (and vulnerable) HTML files.  More information about this vulnerability is available on the CERT/CC web site at http://www.kb.cert.org/vuls/id/225657. 

Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities.  Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way. 

Desktop users can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version.  As a reminder, security fixes delivered through the Critical Patch Update for Java SE are cumulative: in other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.

 

For More Information:

The Advisory for the June 2013 Critical Patch Update for Java is located at http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

More information about the Javadoc tool is available at http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html

Thursday May 30, 2013

Maintaining the security-worthiness of Java is Oracle’s priority

Hi my name is Nandini Ramani, I lead the software development team building the Java platform.  My responsibilities span across the entire Java platform and include platform security. 

Over the past year, there have been several reports of security vulnerabilities in Java, primarily affecting Java running in Web browsers. This blog entry outlines the steps Oracle has taken to address issues with the security-worthiness of Java in web browsers and elsewhere following the acquisition of Sun Microsystems.

Whenever Oracle makes an acquisition, acquired product lines are required to conform to Oracle policies and procedures, including those comprising Oracle Software Security Assurance.  As a result, for example, the Java development organization had to adopt Oracle’s Security Fixing Policies, which among other things mandate that issues must be resolved in priority order and addressed within a certain period of time.

As a result of adopting these stricter procedures, as well as increasing investments in Java overall by Oracle, Java development significantly accelerated the production of security fixes.  Recently-released Critical Patch Updates for Java SE have contained a historically high number of security fixes.  In addition, Oracle decided to publish an additional security release in 2013. The April 2013 Critical Patch Update for Java SE will bring Java to four  security releases in 2013 as opposed to the three initially planned.  As a reminder, the February 2012 Critical Patch Update for Java SE provided 14 security fixes, the June 2012 release 14, the October 2012 release 30 (thus the total number of new security fixes provided through Critical Patch Updates for Java in 2012 was 58).  In contrast to these numbers, the February 2013 security releases provided 55 new security fixes, and the April 2013 Critical Patch Update for Java SE provided 42 new security fixes, bringing the total number of security fixes released through the Critical Patch Update for Java in the first half of 2013 to 97.

In addition to accelerating the release of security fixes for Java SE, Oracle’s additional investments have provided the organization with the ability to more quickly respond to reports of 0-days and other particularly severe vulnerabilities.  Java development has gained the ability to produce and test individual security fixes more quickly as evidenced by the quick releases of the most recent Java Security Alerts.  In other words, the procedural and technical changes implemented throughout Java development have enabled the organization to make improvements affecting both the Critical Patch Update program (scheduled release of a greater number of security fixes) and the Security Alert program (faster release of unscheduled security fixes in response to 0-days or particularly severe vulnerabilities).

Starting in October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products.  In other words, Java will now issue four annual security releases.  Obviously, Oracle will retain the ability to issue emergency “out of band” security fixes through the Security Alert program.

The implementation of Oracle Software Security Assurance policies and practices by Java development is also intended to defend against the introduction of new vulnerabilities into the Java code base.  For example, the Java development team has expanded the use of automated security testing tools, facilitating regular coverage over large sections of Java platform code.  The Java team has engaged with Oracle’s primary source code analysis provider to enhance the ability of the tool to work in the Java environment.  The team has also developed sophisticated analysis tools to weed out certain types of vulnerabilities (e.g., fuzzing tools).

Oracle is also addressing the limitations of the existing Java in browser trust/privileges model.  The company has made a number of product enhancements to  default security and provide more end user control over security.  In JDK 7 Update 2, Oracle added enhanced security warnings before executing applets with an old Java runtime. In JDK 7 Update 6, Oracle began dynamically updating information about security baselines – information used to determine if the current version of Java contains the latest security fixes available.  In JDK 7 Update 10, Oracle introduced a security slider configuration option, and provided for automatic security expiration of older Java versions (to make sure that users run the most recent versions of Java with a more restricted trust model than in older versions).  Further, with the release of JDK 7 Update 21, Oracle introduced the following changes:
  (1) The security model for signed applets was changed.  Previously, signing applets was only used to request increased application privileges.  With this update, signing applets establishes identity of the signer, but does not necessarily grant additional privileges.  As a result, it is now possible to run signed applets without allowing them to run outside the sandbox, and users can prevent the execution of any applets if they are not signed. 
  (2) The default plug-in security settings were changed to further discourage the execution of unsigned or self-signed applets.  This change is likely to impact most Java users, and Oracle urges organizations whose sites currently contain unsigned Java Applets to sign those Applets according to the documented recommendations.  Note, however, that users and administrators will be able to specifically opt out of this setting and choose a less secure deployment mode to allow for the execution of unsigned applets.  In the near future, by default, Java will no longer allow the execution of self-signed or unsigned code.
  (3) While Java provides the ability to check the validity of signed certificates through Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) calls before the execution of signed applets, the feature is not enabled by default because of a potential negative performance impact.  Oracle is making improvements to standardized revocation services to enable them by default in a future release.  In the interim, we have improved our static blacklisting to a dynamic blacklisting mechanism including daily updates for both blacklisted jar files and certificates.

Finally, while the security problems affecting Java in Internet browsers have generally not impacted Java running on servers, Oracle has found that the public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organizations committed to Java applications running on servers.  As a result, Oracle is taking steps to address the security implications of the wide Java distribution model, by further dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments).  With Java 7 update 21, Oracle has introduced a new type of Java distribution: “Server JRE.” 

Oracle has removed plugins from the Server JRE distribution to reduce attack surface but also to reduce customer confusion when evaluating server exploitation risk factors.  In the future, Oracle will explore stronger measures to further reduce attack surface including the removal of certain libraries typically unnecessary for server operation.  Such significant measures cannot be implemented in current versions of Java since they would violate current Java specifications, but Oracle has been working with other members of the Java Community Process to enable such changes in future versions of Java.

In addition, Oracle wants to improve the manageability of Java in enterprise deployments.  Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization.  The policy feature will, for example, allow  system administrators to restrict execution of Java applets to those found on specific hosts (e.g., corporate server assets, partners, etc) and thus reduce the risk of malware infection resulting from desktops accessing unauthorized and malicious hosts. 

It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment.  Oracle’s effort has already enabled the Java development team to deliver security fixes more quickly, resulting in fewer outstanding security bugs in Java.

For more information:
More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html
Java security documentation is located at http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html
Release notes for JDK 7 releases are located at http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html

Tuesday Apr 16, 2013

April 2013 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle today released two Critical Patch Updates: the April 2013 Critical Patch Update and the April 2013 Critical Patch Update for Java SE.  The previous blog entry provided a summary of the April 2013 Critical Patch Update, and this entry will discuss the content of the Critical Patch Update for Java SE.

The April 2013 Critical Patch Update for Java SE provides 42 new security fixes.  39 of the vulnerabilities fixed in this Critical Patch Update are remotely exploitable without authentication.  The maximum CVSS Base Score for these vulnerabilities is 10.0, and this score affect 19 different vulnerabilities. 

Out of the 42 vulnerabilities, only 2 can affect server deployments of Java.  Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited. 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java Autoupdate

For More Information:

The advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html.

April 2013 Critical Patch Update Released

Hello, this is Eric Maurice.

Oracle just released the April 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 128 new security vulnerabilities across a wide range of product families including the Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle FLEXCUBE, Oracle Industry Applications, Oracle Primavera, Oracle and Sun Systems Product Suite (including Sun Middleware Products), Oracle MySQL, and Oracle Support Tools. 

Of the 128 fixes included in this Critical Patch Update, 4 are for Oracle Database Server.  The most severe Database vulnerability has received a CVSS Base Score of 10.0 for the Windows platform and 7.5 on other platforms (e.g., Solaris, Linux).  This vulnerability is limited to Oracle Database 11.2.0.2 and 11.2.0.3 operating in RAC configurations. 

This Critical Patch Update also includes 29 security fixes for Oracle Fusion Middleware.  The most severe of these vulnerabilities has also received a CVSS Base Score of 10.0 and it in fact affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit.  In addition, a number of these fixes are for third-party components included in Oracle Fusion Middleware.

This Critical Patch Update includes a significant number of security fixes for Oracle Applications.  This high number is due in some part to the recent inclusion of new product lines in the Critical Patch Update (e.g., Oracle FLEXCUBE).  Oracle E-Business Suite receives 6 new security fixes, Oracle Supply Chain Products Suite receives 3, PeopleSoft Enterprise 11, Oracle Siebel CRM 8, Oracle Industry Applications 3, and Oracle FLEXCUBE 18.  In addition, this Critical Patch Update includes 2 security fixes for Oracle Primavera.

As with previous Critical Patch Updates, this Critical Patch Update also provides a significant number of security fixes for the Oracle and Sun Systems Products Suite.  18 new fixes for the Sun Product Suite are provided, including 16 fixes affecting Solaris and 2 for Oracle GlassFish Server.  The most severe of these vulnerabilities has received a CVSS Base Score of 6.4.  

Also included in this Critical Patch Update are 25 new security fixes for Oracle MySQL (the most severe of these bugs has received a CVSS Base Score of 6.8) and one new security fix for Oracle Support Tools (specifically Automatic Service Request (ASR), a support utility used to automatically generate service request in case of specific hardware failure). 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible so as to ensure that the in-depth security posture of the organization is maintained.  As a reminder, Oracle also today released a Critical Patch Update for Java SE.  The content of the Critical Patch Update for Java SE and a highlight of Oracle’s security plan for Java are discussed in a separate blog entry.

For More Information:

The Security Advisory for the April 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html

The Security Advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

More information about Oracle Software Security Assurance programs is located at http://www.oracle.com/us/support/assurance/index.html. 

Monday Mar 04, 2013

Security Alert CVE-2013-1493 Released

Hello, this is Eric Maurice.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE. 

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

As always, Oracle recommends that this Security Alert be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java autoupdate. Desktop users should also be aware that Oracle has recently switched Java security settings to “high” by default.  This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.

As stated in previous blogs, Oracle is committed to accelerating the release of security fixes for Java SE, particularly to help address the security-worthiness of Java running in browsers.  The quick release of this Security Alert, the higher number of Java SE fixes included in recent Critical Patch Updates, and the announcement of an additional security release date for Java SE (the April 16th Critical Patch Update for Java SE) are examples of this commitment.

 

For more information:

The Advisory for Security Alert CVE-2013-1493 can be found at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

More information about Oracle Software Security Assurance can be found at http://www.oracle.com/us/support/assurance/index.html. 

Tuesday Feb 19, 2013

Updated February 2013 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle today released the updated February 2013 Critical Patch Update for Java SE.  As discussed in a previous blog entry, the purpose of this update is to deliver 5 additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th.  Note that since Critical Patch Updates for Java SE are cumulative, this Critical Patch Update release also includes all previously-released Java SE security fixes.  

All but one of the vulnerabilities fixed today apply to client deployment of Java.  This means that these 4 vulnerabilities can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers.  Three of these vulnerabilities received a CVSS Base Score of 10.0.  As I stated before, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running the malicious Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System. 

The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE).  This fix is for a vulnerability commonly referred as the “Lucky Thirteen” vulnerability in SSL/TLS (CVE-2013-0169).  This vulnerability has received a CVSS Base Score of 4.3.

Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible.  IT professionals should refer to the advisory located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html and desktop users can install this new version from java.com or through the Java autoupdate.

Finally, note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.   As a result, we will be issuing a Critical Patch Update for Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products.  The next scheduled release dates for the Critical Patch Update for Java SE are therefore: April 16, 2013; June 18, 2013; October 15, 2013; and January 14, 2014. 

  

For More Information:

The Advisory for the updated February 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Friday Feb 08, 2013

Updates to February 2013 Critical Patch Update for Java SE

Hello, this is Eric Maurice.

On February 1st 2013, Oracle released the February 2013 Critical Patch Update for Java SE.  In the blog entry discussing this Critical Patch Update release, I stated that this Critical Patch Update was originally scheduled to be released on February 19th, and that Oracle decided to accelerate the release of this Critical Patch Update because of the exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers. 

As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE.  Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date. 

This updated February 2013 Critical Patch Update will be published on February 19th and will include the fixes that couldn’t be released on February 1st.  A new Critical Patch Update Advisory will also be published on February 19th on http://www.oracle.com/technetwork/topics/security/alerts-086861.html to include information about the additional fixes being released. 

Note that Critical Patch Updates for Java SE are cumulative.  As a result, organizations that may not have applied the February 1st release will be able to apply the updated Critical Patch Update when it is published, and will then gain the benefit of all previously released Java SE fixes.  As usual, desktop users will be able to install this new version from java.com or through the Java autoupdate.

 

For More Information:

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html   

Friday Feb 01, 2013

February 2013 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice again.

Oracle just released the February 2013 Critical Patch Update for Java SE.  The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update. 

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities.  44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).  In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.  In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops).  Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java;   that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components.  In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source. 

Finally, 2 of the vulnerabilities fixed in this Critical Patch Update only apply to server deployment of the Java Secure Socket Extension (JSSE). 

The maximum CVSS Base Score for the vulnerabilities fixed in this Critical Patch Update is 10.0.   This score affects 26 vulnerabilities: 23 of which are client-side vulnerabilities, and 3 applicable to client and server deployments.   

This Critical Patch Update is consistent with previous Java security releases, in that most of the vulnerabilities addressed in this Critical Patch Update only affect Java and Java FX client deployments.  This reflects the fact that the Java server environment is more secure than the Java Runtime Environment in browsers because servers operate in a more secure and controlled environment. 

 The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers.  Note however that, as stated in a previous blog entry, Oracle reports the most severe CVSS Base Score. 

Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to “high” by default.  The "high" security setting requires users to expressly authorize the execution of unsigned applets allowing a browser user to deny execution of a suspicious applet (where in the past a suspicious applet could execute "silently").  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  In addition, Oracle has recently introduced the ability for users to easily disable Java in their browsers through the Java Control Panel on Windows.

As stated at the beginning of this blog, Oracle decided to release this Critical Patch Update earlier than planned.  After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue.  Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers.  The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.

For more information:

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about setting the security level in the Java client is available at http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Tuesday Jan 15, 2013

January 2013 Critical Patch Update Released

Hi, this is Eric Maurice.

Today, Oracle released the January 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 86 vulnerabilities across a number of product families including the Oracle Database, Oracle Database Mobile Server, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, Oracle Siebel CRM, Oracle Sun Products Suite, Oracle Virtualization, and Oracle MySQL.  As a reminder, fixes for Java SE continue to be released on a separate schedule due to contractual commitments previously made with customers (the next Critical Patch Update for Java SE will be released on February 19, 2013); accordingly, this Critical Patch Update does not contain fixes for Java SE and it is not related to the recently released Security Alert CVE-2013-0422 intended for Java SE.

Of the 86 fixes, 1 is specific to Oracle Database Server; this vulnerability, which affects the Spatial component of the Database, has a CVSS Base Score of 9.0, and it is not remotely exploitable without authentication.  5 of the vulnerabilities are for the Oracle Database Mobile Server, typically used for connecting embedded devices and mobile applications to the Oracle Database.  The maximum CVSS Base Score for the 5 Oracle Database Mobile Server vulnerabilities is 10.0, and these vulnerabilities are all remotely exploitable without authentication.  Note also that 10 Enterprise Manager Grid Control fixes are applicable for Database deployments. 

This Critical Patch Update includes fixes for 7 security vulnerabilities in Oracle Fusion Middleware, 5 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 5.0. 

13 fixes are for Oracle Enterprise Manager Grid Control, 12 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Enterprise Manager vulnerabilities is 5.0.  As stated earlier, 10 of these Enterprise Manager Grid Control fixes are applicable for Database deployments.

This Critical Patch Update provides the following applications security fixes: 9 for E-Business Suite, 1 for Supply Chain Product Suite, 12 for PeopleSoft Enterprise, 1 for JDEdwards EntepriseOne, 10 for Siebel CRM.  As indicated in the Critical Patch Update Advisory, most Oracle applications deployments include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections for the Advisory, and these need to be patched as well.

Finally, this Critical Patch Update provides 8 fixes for Oracle Sun products Suite (the highest CVSS Base Score for these vulnerabilities is 6.6), 1 is for Oracle Virtualization (with a CVSS Base Score of 2.4), and 18 are for Oracle MySQL.  The highest CVSS Base Score for the MySQL vulnerabilities is 9.0 on Windows platforms, and 6.5 on other platforms (e.g. Linux). 

Oracle continues to recommend that, even though other mitigation measures may be available, Critical Patch Updates be applied as soon as possible in order for organizations to retain their security in depth posture. 

For More Information:

The advisory for the January 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

More information about Oracle Software Security Assurance, including Oracle’s vulnerability fixing and disclosure policies is available at http://www.oracle.com/us/support/assurance/index.html. 

 

 

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
  • Oracle
Archives
« February 2016
SunMonTueWedThuFriSat
 
1
2
3
4
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
     
       
Today