Oracle fixed 154 vulnerabilities in its latest Critical Patch Update release, eight of which were in Oracle Database Server, 30 in MySQL, and 25 in Java SE. Oracle said 84 of the vulnerabilities fixed in 54 different products were critical, as they may be exploited remotely without authentication.
The October 2015 Critical Patch Update include a number of fixes for “very severe vulnerabilities,” but none has yet been exploited in the wild, wrote Eric Maurice, software security assurance director at Oracle. “However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort,” Maurice warned.
Of the Oracle Database vulnerabilities, seven were for Oracle Database Server and one was for Oracle Database Mobile/Lite Server. The most severe vulnerability was in Oracle Database Server’s Portable Clusterware component, with a CVSS Base Score of 10.0. This means the bug could be remotely exploited over the network without needing a username and password, resulting in a full compromise of the targeted system. Three other critical vulnerabilities, all with the CVSS Base Score of 9.0, could affect the Database Scheduler and Java VM components. The vulnerabilities don’t apply to client-only database installations where the Oracle Database Server is not installed.
Oracle also fixed 30 security flaws in the MySQL database, two of which were remotely exploitable without authentication. The most severe flaw affected the MySQL Enterprise Monitor component and could lead to a complete takeover of the targeted system if the component ran with administrator or root-level privileges. The bug’s CVSS Base Score dropped from 9.0 to 6.5 if the MySQL Enterprise Monitor ran with non-administrator privileges, as attackers would only get partial control of the targeted system, Oracle said in its advisory.
In addition, this update fixed older vulnerabilities in the libcurl library 7.17.1 through 7.42.1 (CVE-2014-3707, CVE-2014-8150, CVE-2015-3153 and CVE-2015-3236), which could result in Carriage Return/Line Feed (CRLF) injection attacks. Also known as an HTTP Response Splitting attack, these flaws could be exploited to inject arbitrary HTTP headers and obtain sensitive information by reading header contents.
Java is a popular attack vector for attackers, so the CPU is even more critical for organizations relying on Java. The latest update patched 25 vulnerabilities in Java, of which 24 allowed for remote execution. Seven vulnerabilities in Java SE and Java SE Embedded versions 6 to 8 had a CVSS Base Score of 10.0. The flaws, present in various libraries and multiple subcomponents, including CORBA, RMI, Serialization, and 2D, applied to client-side Java alone. They could be exploited only through sandboxed Java Web Start applications and sandboxed Java applets, Oracle said.
Sign up for Computerworld eNewsletters.