Oracle fixes critical flaws in Database Server, MySQL, Java

The bad news: Java and Oracle's database products had lots of vulnerabilities. The good news: None are currently under attack

Oracle fixed 154 vulnerabilities in its latest Critical Patch Update release, eight of which were in Oracle Database Server, 30 in MySQL, and 25 in Java SE. Oracle said 84 of the vulnerabilities fixed in 54 different products were critical, as they may be exploited remotely without authentication.

The October 2015 Critical Patch Update include a number of fixes for “very severe vulnerabilities,” but none has yet been exploited in the wild, wrote Eric Maurice, software security assurance director at Oracle. “However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort,” Maurice warned.

Of the Oracle Database vulnerabilities, seven were for Oracle Database Server and one was for Oracle Database Mobile/Lite Server. The most severe vulnerability was in Oracle Database Server’s Portable Clusterware component, with a CVSS Base Score of 10.0. This means the bug could be remotely exploited over the network without needing a username and password, resulting in a full compromise of the targeted system. Three other critical vulnerabilities, all with the CVSS Base Score of 9.0, could affect the Database Scheduler and Java VM components. The vulnerabilities don’t apply to client-only database installations where the Oracle Database Server is not installed.

Oracle also fixed 30 security flaws in the MySQL database, two of which were remotely exploitable without authentication. The most severe flaw affected the MySQL Enterprise Monitor component and could lead to a complete takeover of the targeted system if the component ran with administrator or root-level privileges. The bug’s CVSS Base Score dropped from 9.0 to 6.5 if the MySQL Enterprise Monitor ran with non-administrator privileges, as attackers would only get partial control of the targeted system, Oracle said in its advisory.

In addition, this update fixed older vulnerabilities in the libcurl library 7.17.1 through 7.42.1 (CVE-2014-3707, CVE-2014-8150, CVE-2015-3153 and CVE-2015-3236), which could result in Carriage Return/Line Feed (CRLF) injection attacks. Also known as an HTTP Response Splitting attack, these flaws could be exploited to inject arbitrary HTTP headers and obtain sensitive information by reading header contents.

Java is a popular attack vector for attackers, so the CPU is even more critical for organizations relying on Java. The latest update patched 25 vulnerabilities in Java, of which 24 allowed for remote execution. Seven vulnerabilities in Java SE and Java SE Embedded versions 6 to 8 had a CVSS Base Score of 10.0. The flaws, present in various libraries and multiple subcomponents, including CORBA, RMI, Serialization, and 2D, applied to client-side Java alone. They could be exploited only through sandboxed Java Web Start applications and sandboxed Java applets, Oracle said.

The CVSS Base Scores assume the user running a Java applet or Java Web Start application has administrator privileges, which is a common scenario on Windows. If the application is not running with administrator privileges -- more typical on Solaris and Linux -- the CVSS scores drop and the attackers would get only partial control of the targeted system, Oracle said in the advisory.

A separate flaw in the JavaFX subcomponent (CVE-2015-4901), applied to both client and server deployments. It could be exploited through sandboxed Java Web Start applications and Java applets, as well as by supplying data to APIs in the specified Component through a Web service.

Twenty of the vulnerabilities were browser-based. Users should use only the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases, Oracle said.

Oracle recommended that organizations apply the CPU as soon as possible because of the threats, but said it was possible to reduce the risk of successful attack by blocking the network protocol required by the attack. The most severe database vulnerability uses the OracleNET protocol, but it doesn’t make sense to apply this workaround for MySQL, which relies on HTTP. Some of the critical bugs become less severe if certain privileges or access to certain packages are revoked. Since these workarounds can break application functionality, Oracle recommended testing changes on nonproduction systems first.

“Neither approach should be considered a long-term solution as neither corrects the underlying problem,” Oracle said.

Oracle pushes out security fixes for its product portfolio on a quarterly basis. This quarter’s CPU is not significantly different in size from past updates. The July update included fixes for 193 vulnerabilities, while the January update fixed 169 vulnerabilities, The April update was the smallest in 2015, with fixes for 98 vulnerabilities.

Oracle’s next scheduled update is Jan. 19, 2016.

Join the CSO newsletter!

Error: Please check your email address.

Tags Oracle

More about LinuxMySQLOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts