Oracle this week released its Critical Patch Update (CPU) for October 2016 to deliver a total of 253 new security fixes across multiple product families, nearly half of which can be exploited remotely without authentication.
Security Week | Ionut Arghire
Oracle products receiving the largest number of fixes this quarter include Oracle Communications Applications (36 patches), MySQL (31), Fusion Middleware (29), Financial Services Applications (24), and E-Business Suite (21). Oracle Database, Java SE, PeopleSoft, and Retail Applications received patches as well.
Commenting on the Oracle CPU for October 2016, Waratek CTO John Matthew Holt told SecurityWeek that, because almost all of the vulnerabilities resolved in Java and Java products are remotely exploitable, “any application running on the current or earlier versions of these Java products are or may be susceptible to remote attacks.”
“In particular, two of the Java Platform vulnerabilities affect the JMX (Java Management Extensions) and Networking APIs built into the Java Platform. These two APIs are present and loaded in all but the most trivial Java applications. This means business critical Java applications are operating with known-flawed APIs and should prioritized for patching as quickly as possible,” he says.
Holt also points out that Java-powered WebLogic applications are seriously impacted by the new set of security patches, especially with five different vulnerabilities in WebLogic versions 10 and 12 that can be remotely exploited over HTTP and HTTPS protocols without authentication. These remote exploits are the most worrying, given the ubiquity of HTTP/HTTPS access to Java-powered applications, he says.
“Furthermore, since these are nearly all high-CVSS vulnerabilities, a successful exploit will not only hijack the vulnerable application stack but also expose confidential application data. Customers running critical business applications on Java-powered WebLogic and GlassFish application platforms need to upgrade their application stack urgently to safeguard the security of their application and the confidentiality of their business data,” Holt continues.
However, he also points out that the October CPU is not out of the ordinary when compared to those released in the previous quarters, because high-severity vulnerabilities are identified and patched in the Java software platforms every three months.