Tuesday Apr 16, 2013

April 2013 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle today released two Critical Patch Updates: the April 2013 Critical Patch Update and the April 2013 Critical Patch Update for Java SE.  The previous blog entry provided a summary of the April 2013 Critical Patch Update, and this entry will discuss the content of the Critical Patch Update for Java SE.

The April 2013 Critical Patch Update for Java SE provides 42 new security fixes.  39 of the vulnerabilities fixed in this Critical Patch Update are remotely exploitable without authentication.  The maximum CVSS Base Score for these vulnerabilities is 10.0, and this score affect 19 different vulnerabilities. 

Out of the 42 vulnerabilities, only 2 can affect server deployments of Java.  Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited. 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java Autoupdate

For More Information:

The advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html.

April 2013 Critical Patch Update Released

Hello, this is Eric Maurice.

Oracle just released the April 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 128 new security vulnerabilities across a wide range of product families including the Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle FLEXCUBE, Oracle Industry Applications, Oracle Primavera, Oracle and Sun Systems Product Suite (including Sun Middleware Products), Oracle MySQL, and Oracle Support Tools. 

Of the 128 fixes included in this Critical Patch Update, 4 are for Oracle Database Server.  The most severe Database vulnerability has received a CVSS Base Score of 10.0 for the Windows platform and 7.5 on other platforms (e.g., Solaris, Linux).  This vulnerability is limited to Oracle Database 11.2.0.2 and 11.2.0.3 operating in RAC configurations. 

This Critical Patch Update also includes 29 security fixes for Oracle Fusion Middleware.  The most severe of these vulnerabilities has also received a CVSS Base Score of 10.0 and it in fact affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit.  In addition, a number of these fixes are for third-party components included in Oracle Fusion Middleware.

This Critical Patch Update includes a significant number of security fixes for Oracle Applications.  This high number is due in some part to the recent inclusion of new product lines in the Critical Patch Update (e.g., Oracle FLEXCUBE).  Oracle E-Business Suite receives 6 new security fixes, Oracle Supply Chain Products Suite receives 3, PeopleSoft Enterprise 11, Oracle Siebel CRM 8, Oracle Industry Applications 3, and Oracle FLEXCUBE 18.  In addition, this Critical Patch Update includes 2 security fixes for Oracle Primavera.

As with previous Critical Patch Updates, this Critical Patch Update also provides a significant number of security fixes for the Oracle and Sun Systems Products Suite.  18 new fixes for the Sun Product Suite are provided, including 16 fixes affecting Solaris and 2 for Oracle GlassFish Server.  The most severe of these vulnerabilities has received a CVSS Base Score of 6.4.  

Also included in this Critical Patch Update are 25 new security fixes for Oracle MySQL (the most severe of these bugs has received a CVSS Base Score of 6.8) and one new security fix for Oracle Support Tools (specifically Automatic Service Request (ASR), a support utility used to automatically generate service request in case of specific hardware failure). 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible so as to ensure that the in-depth security posture of the organization is maintained.  As a reminder, Oracle also today released a Critical Patch Update for Java SE.  The content of the Critical Patch Update for Java SE and a highlight of Oracle’s security plan for Java are discussed in a separate blog entry.

For More Information:

The Security Advisory for the April 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html

The Security Advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

More information about Oracle Software Security Assurance programs is located at http://www.oracle.com/us/support/assurance/index.html. 

Tuesday Jan 15, 2013

January 2013 Critical Patch Update Released

Hi, this is Eric Maurice.

Today, Oracle released the January 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 86 vulnerabilities across a number of product families including the Oracle Database, Oracle Database Mobile Server, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, Oracle Siebel CRM, Oracle Sun Products Suite, Oracle Virtualization, and Oracle MySQL.  As a reminder, fixes for Java SE continue to be released on a separate schedule due to contractual commitments previously made with customers (the next Critical Patch Update for Java SE will be released on February 19, 2013); accordingly, this Critical Patch Update does not contain fixes for Java SE and it is not related to the recently released Security Alert CVE-2013-0422 intended for Java SE.

Of the 86 fixes, 1 is specific to Oracle Database Server; this vulnerability, which affects the Spatial component of the Database, has a CVSS Base Score of 9.0, and it is not remotely exploitable without authentication.  5 of the vulnerabilities are for the Oracle Database Mobile Server, typically used for connecting embedded devices and mobile applications to the Oracle Database.  The maximum CVSS Base Score for the 5 Oracle Database Mobile Server vulnerabilities is 10.0, and these vulnerabilities are all remotely exploitable without authentication.  Note also that 10 Enterprise Manager Grid Control fixes are applicable for Database deployments. 

This Critical Patch Update includes fixes for 7 security vulnerabilities in Oracle Fusion Middleware, 5 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 5.0. 

13 fixes are for Oracle Enterprise Manager Grid Control, 12 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Enterprise Manager vulnerabilities is 5.0.  As stated earlier, 10 of these Enterprise Manager Grid Control fixes are applicable for Database deployments.

This Critical Patch Update provides the following applications security fixes: 9 for E-Business Suite, 1 for Supply Chain Product Suite, 12 for PeopleSoft Enterprise, 1 for JDEdwards EntepriseOne, 10 for Siebel CRM.  As indicated in the Critical Patch Update Advisory, most Oracle applications deployments include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections for the Advisory, and these need to be patched as well.

Finally, this Critical Patch Update provides 8 fixes for Oracle Sun products Suite (the highest CVSS Base Score for these vulnerabilities is 6.6), 1 is for Oracle Virtualization (with a CVSS Base Score of 2.4), and 18 are for Oracle MySQL.  The highest CVSS Base Score for the MySQL vulnerabilities is 9.0 on Windows platforms, and 6.5 on other platforms (e.g. Linux). 

Oracle continues to recommend that, even though other mitigation measures may be available, Critical Patch Updates be applied as soon as possible in order for organizations to retain their security in depth posture. 

For More Information:

The advisory for the January 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

More information about Oracle Software Security Assurance, including Oracle’s vulnerability fixing and disclosure policies is available at http://www.oracle.com/us/support/assurance/index.html. 

 

 

Tuesday Jun 12, 2012

June 2012 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle just released the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update provides 14 new security fixes across Java SE products.  As discussed in previous blog entries, Critical Patch Updates for Java SE will, for the foreseeable future, continue to be released on a separate schedule than that of other Oracle products due to previous commitments made to Java customers. 

12 of the 14 Java SE vulnerabilities fixed in this Critical Patch Update may be remotely exploitable without authentication.  6 of these vulnerabilities have a CVSS Base Score of 10.0.  In accordance with Oracle’s policies, these CVSS 10 scores represent instances where a user running a Java applet or Java Web Start application has administrator privileges (as is typical on Windows XP).  When the user does not run with administrator privileges (typical on the Solaris and Linux operating systems), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability for these vulnerabilities would be "Partial" instead of "Complete", thus lowering these CVSS Base Scores to 7.5.

Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible:

In addition, Oracle recommends removing old an unused versions  of Java as the latest version is always the recommended version as it contains the most recent enhancements, and bug and security fixes. 

For more information:

•Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml 

•Users can verify that they’re running the most recent version of Java by visiting: http://java.com/en/download/installed.jsp  

•The Advisory for the June 2012 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

Tuesday Apr 17, 2012

April 2012 Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle has just released the April 2012 Critical Patch Update. This Critical Patch Update provides 88 new security fixes across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle FLEXCUBE, Oracle Siebel Clinical Trial Management System, Oracle Primavera, Oracle Sun products suite, and Oracle MySQL.

Of the 88 new vulnerabilities, 6 directly affect Oracle Database Server. The highest CVSS Base Score for these Database Server vulnerabilities is 9.0. This Base Score affects the Oracle Spatial component on Windows platforms (on non-Windows platforms, i.e., Linux, Unix, the CVSS Base Score is 6.5). In addition, 6 Enterprise Manager Grid Control fixes may be relevant to Database Server deployments. The highest CVSS Base Score for the Enterprise Manager Grid Control vulnerabilities is 5.8; but 4 of the 6 vulnerabilities can be remotely exploitable without authentication. Therefore, Oracle highly recommends that these fixes be applied as soon as possible.

This Critical patch Update also includes 11 new security fixes for Oracle Fusion Middleware. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0 (for vulnerability CVE-2012-1695). This score affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit. Starting again with this Critical Patch Update, JRockit fixes will no longer be provided with the Critical Patch Update for Java SE, but be provided in “the normal” Critical Patch Update along with other Oracle Fusion Middleware fixes.

This Critical Patch Update provides the following application security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 15 for Oracle PeopleSoft Enterprise, 2 for Siebel Clinical Trial Management System, 17 for Oracle FLEXCUBE, and 1 for Oracle Primavera Enterprise Project Management.

Finally, this Critical Patch Update provides 15 new security fixes for the Oracle Sun Products Suite (including Oracle Grid Engine, Oracle Glassfish Enterprise Server, Oracle Solaris, etc.) and 6 new security fixes for Oracle MySQL.

While a great amount of caution is required when analyzing the content of the Critical Patch Updates in an attempt to identify potential trends; I believe the content of this Critical Patch Update is consistent with the views expressed in previous blog entries: Oracle Software Security Assurance activities tend to result in lowering the number of exploitable security bugs in most mature product lines (that is the product lines who have implemented Oracle secure development practices for the longest time), and as a result we see a downward trend in the number of fixes for these product lines. On the other hand, newly acquired product lines often experience relatively large number of security fixes in the Critical Patch Updates. This is due in part to the increased visibility these products may get as a result of their acquisition by Oracle, as well as development’s access to an extended toolset (e.g., security scanning tools) and increased executive attention around security matters as a result of joining Oracle.

For More Information:

The April 2012 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

 

Tuesday Jan 17, 2012

January 2012 Critical Patch Update Released

Hi, this is Eric Maurice again.

Oracle just released the January 2012 Critical Patch Update.  This Critical Patch Update provides fixes for 78 new security vulnerabilities affecting a wide range of Oracle products families including: Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Virtualization, Oracle Sun product suite, and Oracle MySQL.  Note again that security fixes for Java SE continue to be released on a different schedule because of commitments made before the completion of the Sun acquisition.

Out of the 78 new fixes, 2 affect the Oracle Database.  The maximum CVSS Base Score for the Database vulnerabilities fixed in this Critical Patch Update is 5.5, however Oracle considers these fixes to be important.  In a previous blog entry, we discussed how CVSS Base Scores are computed, and we highlighted the fact that the CVSS Base Score scale is designed to rate the severity of vulnerabilities ranging up to complete exploitation of the affected system down to the Operating System layer (CVSS Base Score greater than 7.5). 
One of the database vulnerabilities fixed in this Critical Patch Update has received a CVSS Base Score of 5.0.  It is a relatively easy to exploit vulnerability, which can result in a shutdown of the database (without compromising confidentiality or integrity of the information contained in it).  In other words, this vulnerability could allow an unauthenticated attacker to carry a denial of service attack against the targeted database, for example if it were to be exposed to the Internet.

Though not remotely exploitable without authentication, the other database fix provided in this Critical Patch Update is also important.  This database bug, which was also reported to Oracle by InfoWorld, may have wider non-security related consequences for a small number of customers.  Database customers are therefore strongly encouraged to apply this Critical Patch Update and consult My Oracle Support Note 1376995.1 for additional instructions.

11 of the 78 new fixes provided by this Critical Patch Update are for Oracle Fusion Middleware.  The highest CVSS Base Score for these Oracle Fusion Middleware bugs is 6.4. 

An additional 17 fixes affect the Oracle Sun product suite, including Solaris, Glassfish Enterprise Server, and OpenSSO.  The highest CVSS Base Score for these Sun product suite vulnerabilities is 7.8.

3 new fixes affect Oracle virtualization.  The maximum CVSS Base Score for these vulnerabilities is 3.7.  This score is related to a vulnerability affecting Oracle VM VirtualBox.

Finally, Oracle MySQL receives 27 fixes.  The maximum CVSS Base Score for these MySQL vulnerabilities is 5.5.  One of these vulnerabilities is remotely exploitable without authentication.  Note that this is the first time that MySQL fixes are being included in the Critical Patch Update.

Oracle continues to recommend that customers apply all security patches and keep up with newer releases as a means to continue to preserve their security posture.  As highlighted in this Critical Patch Update, the decreasing number of fixes produced for the most mature product lines in recent Critical Patch Updates should not be construed as an indication that Critical Patch Updates are becoming less important to the security posture of Oracle customers.  Furthermore, security research continues to show that unpatched systems remain an attractive target for malicious hackers.  Fortunately, Oracle customers can leverage a number of tools, including My Oracle Support, to keep up with recommended security and non-security releases.

 

For More Information:

Tuesday Oct 18, 2011

October 2011 Critical Patch Updates Released

Hello, this is Eric Maurice.

Oracle just released the October 2011 Critical Patch Update and the Critical Patch Update for Java SE.  As explained in previous blogs, because of commitments made before the completion of the Sun acquisition, the security patches for Java SE are typically released on a different schedule than other Oracle products. However, today, the release date of the Critical Patch Update for Java SE coincided with the regular Critical Patch Update release schedule.

The October 2011 Critical Patch Update for Java SE provides fixes for 20 new security vulnerabilities.  The highest CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0, and it is applicable to 6 vulnerabilities.  In addition, one of these 20 new fixes is for the “BEAST” exploit.  “BEAST” (Browser Exploit Against SSL/TLS) can potentially provide a malicious hacker the ability to bypass SSL/TLS encryption and ultimately decrypt potentially sensitive web traffic.  This exploit was recently demonstrated at a security conference.  The vulnerability related to this exploit is CVE-2011-3389, and it has a CVSS Base Score of 4.3.  Note also that beginning with this Critical Patch Update, security fixes for Oracle JRockit will no longer be released with the Oracle Fusion Middleware fixes but instead will be released along with Java SE fixes in the Critical Patch Update for Java SE.  The primary benefit of this change is that Oracle JRockit will now receive Java-related fixes as soon as these fixes are released by Oracle (JRockit fixes were previously distributed with other Oracle Fusion Middleware fixes in the next Critical Patch Update that followed the Critical Patch Update for Java SE).

The October 2011 Critical Patch Update provides fixes for 57 new security vulnerabilities across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Linux and Virtualization, and Oracle Sun product suite.  None of the 57 new fixes are applicable for client-only deployments. 

Of the 57 new fixes, 5 are for Oracle Database Server.  None of the Oracle Database Server vulnerabilities addressed in this Critical Patch Update are remotely exploitable without authentication.  The most severe vulnerability affecting the Oracle Database Server products suite affects Oracle Application Express (APEX), and it has received a CVSS Base Score of 6.5.  None of these fixes are applicable to client-only deployments.

As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base.  Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced.  This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years.  In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code.  In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments. 

22 out of the 57 fixes provided with this Critical Patch Update are for the Oracle Sun product suite.  The most severe of these vulnerabilities affect the LDAP Library in Sun Solaris (CVE-2011-3508) and has received a CVSS Base Score of 9.3.  Oracle recommends that Solaris customers apply this Critical Patch Update as soon as possible.


Finally, please note that this Critical Patch Update lists a fix for Oracle Linux.  Starting with this Critical Patch Update, security fixes in proprietary components of Oracle Linux will be listed in the Critical Patch Update advisory.    However, the security fixes for the code generated by the Linux community, as well as those for proprietary Oracle components will continue to be released through the El-errata documentation, in the same fashion as before.

For more information:

 

 

Tuesday Jul 19, 2011

July 2011 Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle just released the July 2011 Critical Patch Update.  This Critical Patch Update provides fixes for 78 new security vulnerabilities in a wide range of product families including: Oracle Database Server, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, and Oracle Sun Products. 

Out of these 78 vulnerabilities, 13 affect Oracle Database Server, including one affecting Oracle Database Vault and 2 affecting client-only deployments.  The CVSS Base Scores for these Database Server vulnerabilities range between 1.3 and 7.1. 

This Critical Patch Update also provides fixes for 3 security flaws affecting Oracle Secure Backup.  The highest CVSS Base Score for the vulnerabilities affecting Secure Backup is 10.0.  Oracle Secure backup customers are therefore urged to apply this Critical Patch Update as soon as possible.

In addition, 7 fixes are provided for Oracle Fusion Middleware.  The highest CVSS Base Score for vulnerabilities affecting Oracle Fusion Middleware is 10.0.  This CVSS Base Score is related to previously released Java SE security fixes applicable to JRockit.  Note again that Java SE security fixes continue to be issued on a separate Critical Patch Update schedule (the schedule for the Critical Patch Updates for Java SE and all other Oracle products is posted at http://www.oracle.com/technetwork/topics/security/alerts-086861.html).

18 security fixes are provided for Oracle Enterprise Manager Grid Control.  The CVSS Base Scores for the Enterprise Manager Grid Control vulnerabilities fixed in this Critical Patch Update range between 4.3 and 6.8. 

23 new security fixes are provided for the Oracle Sun Product Suite, including Oracle OpenSSO, Solaris, Oracle GlassFish Server, etc.    The CVSS Base Scores for the Oracle Sun Product Suite vulnerabilities fixed in this Critical Patch Update range between 1.7 and 10.0. 

With the addition of the Sun products, Oracle Software Security Assurance programs extend to the software components of hardware products, including firmware.  Firmware and other hardware-related security fixes are included in the Critical Patch Updates.  But the application of Oracle Software Security Assurance by the former hardware divisions of Sun does not end with the Critical Patch Update and Security Alert programs! 

While, before the acquisition, there were differences between the security practices of the various hardware security groups at Sun (e.g. differences between Solaris, Development Tools, Volume Systems, Enterprise Systems, Disk Storage divisions, etc.), these security practices are now integrated under Oracle Software Security Assurance guidance.  For example, security release criteria (i.e. security items in the mandatory checklist before allowing a software product to become GA) are applied uniformly across all Hardware Systems divisions.  Also, the development teams across the Hardware Systems division have access to a broader set of security tool sets, including static analysis tools.  These changes will help further strengthen the security quality of the code produced by these groups. 

Oracle Software Security Assurance programs affect ALL Oracle products (and their respective development organizations) and help ensure consistency in coding practices, security reporting, etc. resulting in effective information sharing between Oracle groups.  This is particularly important because customers will reap security benefits when purchasing Oracle-engineered systems (e.g. Exadata, Exalogic, , etc.)  as opposed to getting multi-vendor bundles (or attempting to integrate complex systems from multiple vendor by themselves.)  For example, the existence of consistent and extended security checklists when bringing Oracle solutions together help ensure security integrity across the solution stack being offered to customers, as customers need not rely upon the consistency of multiple vendors’ security assurance programs. 

As always, Oracle recommends that customers review the risk matrices included in the Critical Patch Update Advisory to determine whether these fixes are relevant to them and, if so, determine the potential risk these vulnerabilities create in their environment, and ultimately determine their patching priority.  As a reminder, Oracle recently started to issue a plain-English version of the risk matrices to help customers who may not yet be familiar with CVSS get accustomed to the Standard.  In addition, a technical white paper is available on Oracle’s web site to help customers come up with a repeatable process to deal with security patches in their environment.

 

For more Information:

·         The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

·         More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

 

Tuesday Jun 07, 2011

June 2011 Java SE Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle just released the June 2011 Critical Patch Update for Java SE. Today’s Java Critical Patch Update provides fixes for 17 new security vulnerabilities. 

Out of these 17 vulnerabilities, 9 have received a CVSS Base Score of 10.0.  This means that, in case of successful exploitation of any of these vulnerabilities, a complete compromise of the targeted system is possible.  Per Oracle policies, we report the highest CVSS score across all possible platforms.  In the above example, this means that the reported CVSS score is 10.0 to reflect the practice of many Windows users of running their systems with Administrative privileges.  On other operating systems (e.g. Linux, Unix), and when Java is executed by users with limited privileges, the CVSS score for these vulnerabilities would be 7.5 to reflect  a compromise of the Java application, but not a complete compromise down to the OS layer.  The CVSS Base Scores for the remaining 8 vulnerabilities fixed in this Java Critical Patch Update range from 2.6 to 7.6.

1 of these 17 vulnerabilities is specific to server deployment of Java.  This means that this vulnerability can only be exploited by supplying malicious input to APIs in the specified Component (e.g. through a Web Service).  It cannot be exploited through the use of Java Web Start applications or Java applets.

Out of these 17 vulnerabilities, 5 affect client and server deployments of Java.  This means that these vulnerabilities can be remotely exploited by supplying malicious data to APIs in the affected component of the server or be exploited through untrusted Java Web Start applications and untrusted Java applets of the clients.  (See discussion of trusted and untrusted applications below.)   11 of the vulnerabilities fixed in this Critical Patch Update affect client-only deployments.  This means that these vulnerabilities can only be exploited through untrusted Java Web Start applications and untrusted Java applets.

Java is designed to execute untrusted Java Web Start applications and untrusted applets in the Java sandbox with limited privileges.  However, if successfully exploited, the vulnerabilities affecting client deployments fixed in this Critical Patch Update can escape the sandbox, and in some instances (as denoted by a CVSS Base Score of 10.0), result in the full compromise of the targeted system.

Two conditions are required before Java applets or Java Web Start applications are considered trusted.  They have to be signed, and the user is required to click "Run" in response to a security dialog prior to their execution.  In other words, clicking "Run" makes the signed applet or signed Java Web Start application "trusted". When trusted, such Java Web Start applications and Java applets can run outside the sandbox and will execute with the privileges of the user running them.  Trusted applets and trusted Java Web Start application can access the same resources to which the user has access: e.g. they can read/write the same files to which the user can read/write; they can make network connections, etc.  As a result, users should exercise caution prior to allowing signed Java applets and signed Java Web Start applications to run. 

If after being prompted to run such a signed Web Start application or signed Java applet, the user clicks "Cancel" in the security dialog (instead of “Run”), the signed applet or Web Start application will execute as untrusted, just like an unsigned applet, and in the absence of security vulnerability, will be confined to the Java sandbox.

Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible:

 

For More Information:

The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

More information on Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Consumers can go to http://www.java.com/en/download/installed.jsp to ensure that they have the latest version of Java running on their desktops. More information on Java Update is available at http://www.java.com/en/download/help/java_update.xml

 

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
11
12
13
14
16
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today