Oracle have announced 154 new security vulnerabilities in its latest critical patch update -- but says the most serious have not been successfully exploited “in the wild.”
The most severe vulnerability received a CVSS score of 10.0, the highest possible. Oracle's software security assurance director Eric P. Maurice said the score denoted "a vulnerability that is remotely exploitable without authentication, which, if successfully exploited, can result in a full compromise of the targeted system."
Also scoring a CVSS Base Score of 10 are vulnerabilities for Oracle Sun Systems Products Suite, Oracle Communications Applications, and Oracle Java SE.
The first of these relates to ILOM, Oracle's Integrated Lights Out Manager, the service processor embedded on all Oracle's SPARC Enterprise T-series and Sun Fire x86 servers. Maurice says that on top of applying necessary patches, customers should "ensure the ILOM interface be not publicly accessible over the Internet."
The critical patch update includes eight fixes for the Oracle Database, 15 for Oracle Sun Systems Products Suite, 23 for Oracle Fusion Middleware (16 of which are remotely exploitable without authentication), one for Oracle Hyperion, five for Oracle Enterprise Manager Grid Control, 12 for Oracle Applications, 14 for Oracle Industry Applications, and 25 for Oracle Java SE. All but one of the Oracle Java SE vulnerabilities are remotely exploitable without authentication.
The company releases Critical Patch Updates four times a year on a regular schedule. Because updates are cumulative, each contains fixes for all previously-reported security issues, as well as new vulnerabilities.
"Due to the severity of a number of vulnerabilities fixed in this Critical Patch Update, Oracle recommends that the necessary patches be applied as soon as possible," Maurice said. "It is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organisations lagging behind in their patching effort."
Speaking directly to InfoQ, jClarity CTO Kirk Pepperdine said
Security is a big problem in this industry. There are quite a few people out there that are constantly peeking and poking around for ways to break through security systems. While most attacks are quite simple, some attacks are exceptionally sophisticated, beyond the imagination of just about everyone -- including all of us involved in working on or working with the Java platform.
Oracle makes it very clear that they take security issues very seriously and in my opinion, they do. They will disrupt any internal schedule to work on closing any security vulnerability that they become aware of.
In a controversial, and subsequently deleted, blog post Oracle's CSO Mary Ann Davidson said earlier this year that "customers Should Not and Must Not reverse engineer" Oracle's code to find security flaws. Davidson explained that doing so was violating their license agreement, and that the company already required development teams to use security vulnerability-finding tools of their own.
Oracle's chief corporate architect Edward Screver later clarified the company's position, saying that "Oracle has a robust program of product security assurance and works with third-party researchers and customers to jointly ensure that applications built with Oracle technology are secure."