BT

Oracle Patches 154 New Security Vulnerabilities

| by James Chesters Follow 1 Followers on Oct 27, 2015. Estimated reading time: 2 minutes |

Oracle have announced 154 new security vulnerabilities in its latest critical patch update -- but says the most serious have not been successfully exploited “in the wild.”

The most severe vulnerability received a CVSS score of 10.0, the highest possible. Oracle's software security assurance director Eric P. Maurice said the score denoted "a vulnerability that is remotely exploitable without authentication, which, if successfully exploited, can result in a full compromise of the targeted system."

Also scoring a CVSS Base Score of 10 are vulnerabilities for Oracle Sun Systems Products Suite, Oracle Communications Applications, and Oracle Java SE.

The first of these relates to ILOM, Oracle's Integrated Lights Out Manager, the service processor embedded on all Oracle's SPARC Enterprise T-series and Sun Fire x86 servers. Maurice says that on top of applying necessary patches, customers should "ensure the ILOM interface be not publicly accessible over the Internet."

The critical patch update includes eight fixes for the Oracle Database, 15 for Oracle Sun Systems Products Suite, 23 for Oracle Fusion Middleware (16 of which are remotely exploitable without authentication), one for Oracle Hyperion, five for Oracle Enterprise Manager Grid Control, 12 for Oracle Applications, 14 for Oracle Industry Applications, and 25 for Oracle Java SE. All but one of the Oracle Java SE vulnerabilities are remotely exploitable without authentication.

The company releases Critical Patch Updates four times a year on a regular schedule. Because updates are cumulative, each contains fixes for all previously-reported security issues, as well as new vulnerabilities.

"Due to the severity of a number of vulnerabilities fixed in this Critical Patch Update, Oracle recommends that the necessary patches be applied as soon as possible," Maurice said. "It is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organisations lagging behind in their patching effort."

Speaking directly to InfoQ, jClarity CTO Kirk Pepperdine said

Security is a big problem in this industry. There are quite a few people out there that are constantly peeking and poking around for ways to break through security systems. While most attacks are quite simple, some attacks are exceptionally sophisticated, beyond the imagination of just about everyone -- including all of us involved in working on or working with the Java platform.

Oracle makes it very clear that they take security issues very seriously and in my opinion, they do. They will disrupt any internal schedule to work on closing any security vulnerability that they become aware of.

In a controversial, and subsequently deleted, blog post Oracle's CSO Mary Ann Davidson said earlier this year that "customers Should Not and Must Not reverse engineer" Oracle's code to find security flaws. Davidson explained that doing so was violating their license agreement, and that the company already required development teams to use security vulnerability-finding tools of their own.

Oracle's chief corporate architect Edward Screver later clarified the company's position, saying that "Oracle has a robust program of product security assurance and works with third-party researchers and customers to jointly ensure that applications built with Oracle technology are secure."

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT