December 11, 2016

Oracle fixes 113 security vulnerabilities, 20 just in Java

Oracle_ai(LiveHacking.Com) – Oracle has released a mammoth set of patches to address 113 security related problems across a wide range of its products. The patch release, which Oracle refers to as a Critical Patch Update (CPU), contains 113 new security fixes for a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

Although all of the patches from Oracle should be considered important, the set that will get the most attention are the latest patches for Java. Oracle patched 20 vulnerabilities in Java. Eight of the 20 vulnerabilities could allow a hacker to completely compromise a target client. These vulnerabilities are described as being remote exploits which don’t require authentication. In total the CPU provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle also points out that Windows XP users should upgrade to a new operating system. The security advisory says that “running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.”

This CPU also includes 5 fixes for the Oracle Database, 29 new security fixes for Oracle Fusion Middleware, 5 fixes for Oracle E-Business Suite, and 3 for the Oracle Sun Systems Products Suite. According to the United States Computer Emergency Readiness Team (US-CERT), the update also include 15 patches for Oracle Virtualization products, and 10 fixes for MySQL.

“Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” wrote Eric Maurice on Oracle’s security blog.

Oracle releases Critical Patch Updates the Tuesday closest to the 17th day of January, April, July and October. The next CPU is due on 14 October 2014.

Details of Zero Day Oracle Vulnerability Published After Patch Misunderstanding

(LiveHacking.Com) – The details of a zero day (0day) vulnerability in Oracle’s Database product have been published when the researcher, who originally found the problem, mistakenly believed that Oracle told him it had been fixed.

Almost two weeks ago Oracle released 88 security patches for a whole range of its products including Oracle Database 10g and 11g. Included in the security advisories published Joxean Koret was credited by Oracle for work submitted under the “Security-In-Depth” program. The relevant vulnerability was submitted to Oracle in 2008 and has taken Oracle four years to fix. Joxean contacted Oracle to be double sure that the vulnerability was fixed. The reply from Oracle said the vulnerability “was fixed in future releases of the product”. Since he was credited in the security advisories for the patch and Oracle said it was fixed, Joxean went ahead and published his own advisory explaining the vulnerability and a proof of concept.

However it turns out that Oracle didn’t fix the problem and in fact has no intention of fixing the problem in released versions of Oracle Database but will only release a fix in the next version of the product. The reason Oracle give for this is that “the fix is very complex and it is extremely risky to backport” and that there are concerns over regression. According to Joxean this means that “there is no patch at all for this vulnerability and Oracle refuses to write a patch for any existing versions, even for Oracle 11g R2. All versions are vulnerable and will remain vulnerable”.

The bug, which is now known as the TNS Poison Vulnerability, exists in all versions of Oracle Database since 1999 (Oracle 8i) and includes the latest one (Oracle 11g). The vulnerability is in the TNS Listener, which is responsible of for connection establishment. To exploit the vulnerability no privilege is needed, just network access to the TNS Listener.

Since Oracle 8i the database has supported a load balancing feature known as “remote registration” where a remote network listener is used to forward client requests to the actual database server responsible for handling requests for a given database. The problem is that using a man in the middle attack it is possible to trick the database into accepting commands from another rogue listener. This is possible because new requests to register a remote listener, that has already been registered with the database server, are seen as requests from a a cluster from a node after a fail over. The result is that the attacker has full access to the database.

Ironically, Joxean wrote concerning the patch from Oracle: “I didn’t test it myself and, to be honest, I’m very tired of the Oracle world so I did not test it myself. I would not be surprised if the patch doesn’t correctly/completely fix the vulnerability.” And how right he was!

Oracle Releases 88 New Security Fixes

(LiveHacking.Com) – Oracle has released a massive security update to fix 88 security vulnerabilities many of which are remote code execution issues that can be exploited without user authentication. The update affects a whole range of Oracle products including Oracle Database 10g and 11g, Oracle JDeveloper, Oracle PeopleSoft Enterprise, Solaris and MySQL.

Oracle Database
Among the patches are six security fixes for the Oracle Database Server. Three of these vulnerabilities may be remotely exploitable without authentication (meaning that can be exploited over a network without the need for a username and password). One of these fixes is applicable to client-only installations (in other words installations that do not have the Oracle Database Server installed).

Solaris
The Oracle update includes 15 new security fixes for the Oracle Sun Products Suite. Five of these vulnerabilities may be remotely exploitable without authentication. Eight of the fixes are for Solaris and covers Solaris 8, 9, 10, 11. There are also fixes for the GlassFish Enterprise Server which is has two remotely exploitable vulnerabilities.

MySQL
MySQL has also been updated. There are six new security fixes but none of these vulnerabilities are remotely exploitable without authentication.

The Rest

  • 11 new security fixes for Oracle Fusion Middleware. 9 of these vulnerabilities may be remotely exploitable without authentication.
  • 6 new security fixes for Oracle Enterprise Manager Grid Control. 4 of these vulnerabilities may be remotely exploitable without authentication.
  • 4 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication.
  • 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication.
  • 15 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication.
  • 2 new security fixes for Oracle Industry Applications.
  • 17 new security fixes for Oracle Financial Services Software. 1 of these vulnerabilities may be remotely exploitable without authentication
  • 1 new security fix for the Oracle Primavera Products Suite. This vulnerability is remotely exploitable without authentication.

Oracle Fixes 78 Vulnerabilities But Questions Arise About Fundamental Flaws in its Flagship Database Product

(LiveHacking.Com) – Oracle has released 78 security fixes, for its flagship database software, Fusion Middleware, e-Business Suite, Supply Chain, PeopleSoft, JDEdwards and Sun products, as part of January’s Critical Patch Update (CPU). Included were two fixes for the Oracle Database Server, seventeen for Oracle Sun products, three for Oracle Virtualization and a massive 27 in Oracle MySQL. Only 16 of the 78 fixes are considered critical, or could be remotely exploited without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.” said Oracle in the advisory.

The highest scored vulnerabilities, under the Common Vulnerability Scoring Standard (CVSS), are found in the Solaris operating system. The first is a denial of service bug and the second a Kerberos issue.

Oracle also patched MySQL Server 27 times, including one vulnerability in the MySQL protocol that allows a remote attacker to significantly affect the availability of the database. Another, higher-rated vulnerability, while not remotely exploitable without authentication, could both affect availability and potentially expose the confidentiality of data in the database. Some pundits are accusing Oracle of “throwing in the towel” on patching its flagship database as it received only two patches compared to MySQL’s 27.

However, now that the CPU has been issued, InfoWorld has published a story about “a flaw in Oracle’s flagship database software that could have serious repercussions for Oracle database customers, potentially compromising the security and stability of Oracle database systems.” When they contacted Oracle about the flaw they were asked, in the interest of security, to withhold the story until Oracle had time to develop and test patches that addressed the flaw.

 

Oracle to Patch 78 Security Vulnerabilities Across Hundreds of its Products

(LiveHacking.Com) – Oracle has published a critical patch update pre-release announcement where it outlines its intention to patch 78 security vulnerabilities across hundreds of its products. Scheduled for Tuesday, January 17, 2012, the jumbo set of patches affect products such as Oracle Database (10g and 11g), VirtualBox and MySQL.

For Oracle Database  there are two security fixes one of which may be remotely exploitable without authentication. This Critical Patch Update also contains three new security fixes for Oracle VM VirtualBox and Oracle Virtual Desktop Infrastructure (VDI), however none of these vulnerabilities may be remotely exploitable without authentication. The MySQL patch set is larger with 27 vulnerabilities scheduled to be patched. One of these vulnerabilities may be remotely exploitable without authentication.

Affected Products and Components

Security vulnerabilities addressed by Oracle’s Critical Patch Update affect the following products:

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Database 10g Release 1, version 10.1.0.5
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0
  • Oracle Outside In Technology, versions 8.3.5, 8.3.7
  • Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)
  • Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
  • Oracle PeopleSoft Enterprise CRM, version 8.9
  • Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1
  • Oracle PeopleSoft Enterprise PeopleTools, version 8.52
  • Oracle JDEdwards, version 8.98
  • Oracle Sun Product Suite
  • Oracle Sun Ray, version 5.3
  • Oracle VM VirtualBox, version 4.1
  • Oracle Virtual Desktop Infrastructure, version 3.2
  • Oracle MySQL Server, versions 5.0, 5.1, 5.5, 5.6