Oracle fixes critical flaws in Java, Database Server

While most of the fixes for Java, Database, and MySQL are run-of-the-mill, four are rated critical if the targeted user has administrator privileges

Oracle issued a gargantuan quarterly patch update this week, fixing a whopping 248 vulnerabilities across its product portfolio. Despite its size, Oracle Database, MySQL, and Java accounted for just a third of the fixes in the January Critical Patch Update.

The January CPU addressed seven vulnerabilities in the Oracle Database Server, three for the Oracle GoldenGate component, eight in Oracle Java SE, and 22 in Oracle MySQL. The update also closed nine issues in Oracle Virtualization and 23 in Oracle Sun Systems Product Suite, which includes Solaris. As has been the case with previous CPUs, the lion's share of the fixes focused on Enterprise applications including Oracle EBS, Oracle Fusion Middlware, and Oracle PeopleSoft. All four patches with Common Vulnerability Scoring Standard scores of 8.0 or higher were for Java and Oracle Database.

Along with the January CPU, Oracle also released Patch Set Updates (PSUs) for the Weblogic Apache Common vulnerability. Oracle had already released an out-of-band security patch for Weblogic in Novemer to address the deserialization vulnerability in Apache Commons library. PSUs are cumulative patches that include both the security fixes and priority fixes.

Database fixes for all

Oracle closed security holes in Oracle Database Server versions,, and None of the vulnerabilities could be exploited remotely without authentication, but the issue in the Java VM component (CVE-2016-0499) had a CVSS score of 9.0. An attacker would be able to take full control over the database server via this bug if the targeted system was a Windows machine running a Database version older than 12c. For database servers running on Linux, Unix and other platforms, as well as Database 12c on Windows, the CVSS score drops to 6.5 and the likelihood of someone getting full control over the server is lessened, according to the advisory.

The updates affect the following components: Java VM, Workspace Manager, XDB-XML Database, Database Vault, Security, and XML Developers' Kit for C.

Of the 22 flaws in MySQL, only one, in the client application, can be exploited remotely without authentication. The CVSS score is 7.2 only if the mysql client is run locally with admin or root privileges. On systems where the mysql client is given restricted privileges, as is considered best practice, the CVSS score drops to 4.6.

The update affected MySQL versions 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9.

Low number of Java updates

It's possible the January CPU closed a rather low number of vulnerabilities in Java because Oracle is deemphasizing Java. More likely, Oracle feels comfortable shifting its bug-fixing efforts elsewhere because Java is not as unstable or under siege as it used to be. Over the past year Oracle has focused  on making Java more secure, such as making applets harder to exploit by enabling them selectively through Deployment Rulesets. Some browsers whitelisted Java as click-to-play, and Microsoft added Java to its EMET tool, resulting in a "more stable environment for Java," said Wolfgang Kandek, CTO of Qualys. "We have not heard of its use in any of the main attack campaigns."

However, three of the eight vulnerabilities were rated as critical, with CVSS scores of 10.0. The severity assumes that the user running a Java applet or Java Web Start application has administrator privileges, which is a typical scenario on Windows systems. The CVSS score drops to 7.5 if the user does not have administrator privileges, a scenario more commonly found on Solaris and Linux systems.

Two of the critical flaws, in Java's 2D component (CVE-2016-0494) and in Java's AWT (CVE-2015-8126), can only be exploited through sandboxed Java Web Start applications and Java applets. The other AWT bug (CVE-2016-0483) also applies to server-side Java deployments. Attackers can potentially exploit the bug by supplying data through a Web service, "and should be looked at by your server team," Kandek said.

Oracle "strongly recommends" that customers remain on actively supported versions and apply Critical Patch Update fixes without delay. Of the 16 updates addressing issues in Solaris 11, four could be exploited remotely without authentication. Also worrying, eight of them could result in an attacker gaining complete control over the system. Unsupported Solaris 11.x versions should be upgraded to a supported release or patch set.

None of the vulnerabilities appear to be under active exploitation, but that doesn't mean administrators can take their time with patching. Attackers frequently target vulnerabilities even after patches have been released because they know everyone doesn't patch promptly.

Join the CSO newsletter!

Error: Please check your email address.

Tags Oracle

More about ApacheLinuxMicrosoftMySQLOraclePeopleSoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts