Tag Archives: sun

Oracle and Cisco Patches – Daily Security Byte EP. 251

In today’s quick Security Byte video, I cover the Oracle and Cisco patches that have come out over the past few days. If you use products from either company, watch the video for highlights, and check the links below.

(Episode Runtime: 2:20)

Direct YouTube Link: https://www.youtube.com/watch?v=uIc7UrapLus

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Oracle Patch Day: January’s CPU and Java Updates Correct 144 Vulnerabilities

Today, Oracle released their quarterly Critical Patch Update (CPU) for January 2014. CPUs are Oracle’s quarterly collections of security updates, which fix vulnerabilities in a wide-range of their products. Oracle publishes their quarterly updates on the Tuesday closest to the 17th of the month, and this quarter that happens to fall on Microsoft and Adobe’s Patch Tuesday.

Overall, Oracle’s CPU and Java updates fix around 144 security vulnerabilities in many different Oracle products and suites. The table below outlines the affected product categories, and the severity of the fixed flaws. The flaws with the highest CVSS rating are the most risky, meaning you should handle them first:

Product or Suite Flaws Fixed (CVE) Max CVSS
Java SE 36 10
Fusion Middleware 22 10
MySQL 18 10
Financial Services Software 1 10
Sun Systems Products Suite 11 7.2
Hyperion 2 7.1
Virtualization 9 6.8
E-Business Suite 4 5.5
Supply Chain Product Suite 16 5.5
Database Server 5 5
Seibel CRM 2 5
PeopleSoft Products 17 5
iLearning 1 4.3

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 144vulnerabilities differs greatly, some of them pose a pretty critical risk; especially the Java SE ones.

Almost everyone has Java installed. If you do, I recommend you install the Java update immediately, or perhaps consider uninstalling Java or restricting it in some way using its security controls. With many flaws that have a CVSS rating of 10, the Java exploits allow remote attackers to install malware on your computer via web-based drive-by download attacks; and right now attackers really like targeting Java flaws.

Of course,  if you use any of the other affected Oracle software, you should update it as well. I recommend scheduling the updates based on the max CVSS rating for the products. For instance, if you use MySQL, update it quickly, but you can allow yourself to more time to fix the iLearning issues. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

Oracle Fixes 133 Vulnerabilities with Massive CPU & Java Updates

Yesterday, Oracle released their quarterly Critical Patch Update (CPU) for October 2013. If you haven’t heard of them, CPUs are Oracle’s quarterly collections of security updates, which fix vulnerabilities in a wide-range of their products. Oracle publishes their quarterly updates on the Tuesday closest to the 17th of the month (in this case, October 15th). Previously, Oracle decoupled their Java updates from their quarterly CPU cycle. However, that changes as of this release. From now on, Oracle plans to release Java updates quarterly, so this quarter’s Oracle CPU includes a Java security update as well.

Overall, the CPU and Java updates fix around 133 security vulnerabilities in many different Oracle products and suites. The table below outlines the affected products, and the severity of the fixed flaws. The flaws with the highest CVSS rating are the most risky, meaning you should handle them first:

Product or Suite Flaws Fixed (CVE) Max CVSS
Java SE 51 10
Database Server 4 6.4
MySQL 12 8.5
Fusion Middleware 17 7.5
Enterprise Manager Grid Control 4 4.3
Siebel CRM 9 6.8
E-Business Suite 1 5.0
Supply Chain Product Suite 2 5.0
Industry Applications 6 5.5
PeopleSoft Products 8 5.0
iLearning 2 6.8
Financial Services Software 1 6.0
Primavera Products Suite 2 5.0
Sun Systems Products Suite 12 6.1
Virtualization 2 5.0

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 133 vulnerabilities differs greatly, some of them pose a pretty critical risk; especially the Java SE ones.

Almost everyone has Java installed. If you do, I recommend you install the Java update immediately, or perhaps consider uninstalling Java or restricting it in some way using its security controls. With a CVSS rating of 10, the Java exploits allow remote attackers to install malware on your computer via web-based drive-by download attacks; and right now attackers really like targeting Java flaws.

Of course,  if you use any of the other affected Oracle software, you should update it as well. I recommend scheduling the updates based on the max CVSS rating for the products. For instance, if you use MySQL, update it quickly, but you can allow yourself to more time to fix the Grid Control issues. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

Oracle’s July 2013 CPU Update

This week, Oracle released their quarterly Critical Patch Update (CPU) for July 2013. CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. This quarter’s updates fix 89 vulnerabilities in many different Oracle products and suites.

Refer to the table below for more details about the affected products and severity of the flaws:

Product or Suite Flaws Fixed (CVE) Max CVSS
Database Server 6 9.0
Fusion Middleware 21 7.5
Enterprise Manager Grid Control 2 4.3
Hyperion 1 3.5
E-Business Suite 7 5.5
Supply Chain Product Suite 4 4.3
MySQL 18 6.8
PeopleSoft Products 10 6.4
iLearning 1 4.3
Policy Automation 1 4.0
Sun Solaris Products 16 7.8
Secure Global Desktop 2 7.5

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 89 vulnerabilities differs greatly, some of them pose a pretty critical risk.

For instance, the update for Oracle Database Server fixes a vulnerability with a CVSS score of 9, which is pretty high. Also, some of these flaws allow remote attackers to potentially gain control of your Oracle database, Fusion Middleware, or MySQL servers. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

Latest Java Update Fixes 40 Vulnerabilities (For Apple Too)

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 21 and earlier, on all platforms
  • How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 25 (or Apple’s OS X update)

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

Today, Oracle released a Java update to fix 40 vulnerabilities in the popular web plugin. Oracle doesn’t describe these flaws in much technical detail, but they do share a Risk Matrix, which describes the severity and impact of each flaw. In a nutshell, most of the flaws are remote code execution issues. Furthermore, Oracle assigns a dozen of them with the maxium CVSS score of ten. By enticing you to a web site with malicious content, attackers can leverage many of these flaws to execute code on your computer, with your privileges. If you are an administrator, it’s game over.

Java is very dangerous right now. Attackers are currently leveraging many Java vulnerabilities in the wild. Cyber criminals are even selling Java exploit kits on the underground market. In short, we highly recommend you apply Oracle’s Java update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. Mac users should update Java as well.

Solution Path:

Oracle has released JRE and JDK Update 25 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Remember, attackers have heavily targeted Java lately. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can often help protect you from these sorts of Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
  • WatchGuard constantly develops AV signatures to catch wild Java exploits. If you use our Gateway AntiViris (GAV) service, it can protect you from some of these attacks.
  • WatchGuard’s IPS signature writers also develop generic Java signatures, which can block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Another Emergency Java Update Fixes Two New Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 15 and earlier, on all platforms
  • How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 17 (or Apple’s OS X update)

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

I’ll keep this short since Oracle has been releasing many Java updates lately. Yesterday, Oracle released yet another emergency Java update to fix two critical vulnerabilities in the popular web plugin. By enticing you to a web site with malicious content, attackers can leverage these flaws to execute code on your computer, with your privileges. If you are an administrator, it’s game over.

Java is very dangerous right now. Attackers are currently leveraging these vulnerabilities in the wild. Other research organizations have also found additional Java vulnerabilities. Cyber criminals are even selling a Java exploit kit on the underground market. In short, this is an extremely important update for Java users. We highly recommend you apply Oracle’s emergency update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. Mac users should update Java as well.

Solution Path:

Oracle has released JRE and JDK Update 17 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Remember, attackers have heavily targeted Java lately. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can often help protect you from these sorts of Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
  • WatchGuard constantly develops AV signatures to catch wild Java exploits. If you use our Gateway AntiViris (GAV) service, it can protect you from some of these attacks.
  • WatchGuard’s IPS signature writers also develop generic Java signatures, which can block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Oracle Releases Emergency Java Update for February

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 11 and earlier, on all platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 13

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Today, many operating systems (OS) implement a Java interpreter to recognize and process Java code from websites and other sources, although some operating systems are beginning to depreciate their Java support for security reasons. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

This week, Oracle released an out-of-cycle security update that fixes 50 different security vulnerabilities in Java. Though the flaws differ technically, many of them share the same scope and impact. If an attacker can entice you into running specially crafted Java code, either directly or from a booby-trapped web site, he can leverage many of these flaws to execute code on your computer, with your privileges. For Windows users, this typically means the attacker gains full control of your machine.

Oracle rates 26 these Java vulnerabilities with a base CVSS score of 10.0; the most severe rating. Furthermore, attackers are currently leveraging some of these vulnerabilities in the wild. In short, this is an extremely important update for Java users. We highly recommend you apply Oracle’s emergency update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. However, Apple’s update also disables or blocks older versions of Java (6) in your browser. OS X users should also update Java, but be aware the update may prevent you from using some Java content.

Solution Path:

Oracle has released JRE and JDK Update 13 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can help protect you from this Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
  • WatchGuard’s AV partner, AVG, has developed signatures to catch some Java exploits. If you use our Gateway AntiViris (GAV) service, it will protect you from some of these attacks.
  • WatchGuard’s signature writers have developed a generic Java signature, which should block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Oracle’s January 2013 CPU Update

This week, Oracle released their quarterly Critical Patch Update (CPU) for January 2013. CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. This quarter’s updates fix 86 vulnerabilities in many different Oracle products and suites.

Refer to the table below for more details about the affected products and severity of the flaws:

Product or Suite Flaws Fixed (CVE) Max CVSS
Database Server (and Mobile) 6 10.0
Fusion Middleware 7 5.0
Enterprise Manager Grid Control 13 7.5
Virtual Box 1 2.4
E-Business Suite 9 6.4
Supply Chain Product Suite 1 2.1
MySQL 18 9.0
PeopleSoft Products 12 5.5
JD Edwards Products 1 3.5
Siebel CRM 10 5.0
Sun Product 8 6.6

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 86 vulnerabilities differs greatly, some of them pose a pretty critical risk.

For instance, the updates for Oracle Database Server fix vulnerabilities with a CVSS score of 10—the highest possible severity rating. One of these flaws allows unauthenticated, remote attackers to potentially gain complete control of your Oracle database server. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

Oracle Patches Java Zero Day with Out-of-Cycle Update

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 10 and earlier, on all platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 11

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

During last week’s WatchGuard Security Week in Review video, I warned you about a critical zero day vulnerably in the latest version of Java (JRE and JDK 7 Update 10 and earlier), which attackers are actively exploiting in the wild. If an attacker can lure you to a web site containing a malicious Java applet, he could exploit this flaw to gain complete control of you computer.

This week, Oracle released an out-of-cycle security update that fixes the zero day vulnerability, and a second one to boot. They rate each of these Java vulnerabilities with a base CVSS score of 10.0; the most severe rating. Since attackers are exploiting these flaws very actively, and have already built them into popular web exploit frameworks, we highly recommend you apply Oracle’s emergency update immediately. In fact, if you don’t need Java, I suggest you remove it from your computer.

Solution Path:

Oracle has released JRE and JDK Update 11 to correct these issues. If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Furthermore, attackers have heavily targeted Java lately in their exploit frameworks. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can help protect you from this Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well
  • WatchGuard’s AV partner, AVG, has developed signatures to catch these zero day exploits. If you use our Gateway AntiViris (GAV) service, it will protect you from some of these attacks.
  • WatchGuard’s signature writers have developed a generic Java signature, which should block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Oracle Issues October CPU and Apple Updates Java

This week, Oracle released their quarterly Critical Patch Update (CPU) for October 2012, as well as a separate Java SE security patch. Apple also released OS X Java updates, in relation to Oracle’s Java patch. I describe all these updates below.

Oracle CPU for October 2012:

Oracle CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. According to their October CPU advisory, this quarter’s updates fix 109 vulnerabilities in many different Oracle products and suites.

Refer to the table below for more details about the affected products and severity of the flaws:

Product or Suite Flaws Fixed (CVE) Max CVSS
Database Server 5 10.0
Fusion Middleware 26 10.0
MySQL 2 9.0
Sun Product Suite 18 7.8
E-Business Suite 9 6.4
Supply Chain Product Suite 9 5.5
Financial Service Software 13 5.5
PeopleSoft Products 9 4.3
Siebel CRM 2 4.3
Industry Applications 2 4.3
Virtualization Products 2 4.3

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 109 vulnerabilities differs greatly, some of them pose a pretty critical risk.

For instance, the updates for Oracle Database Server and Fusion Middleware both fix vulnerabilities with a CVSS score of 10—the highest possible severity rating. One of these flaws allows unauthenticated, remote attackers to potentially gain complete control of your Oracle database server. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert.

Oracle Java SE CPU:

Oracle also released a separate CPU advisory for Java SE, announcing a security update that fixes 30 vulnerabilities in the popular interpreter used to run Java applications. Again, Oracle doesn’t describe these flaws in technical detail. They only share their severity. However, they’ve assigned ten of the vulnerabilities the maximum CVSS severity score (10), which typically means that remote attackers can leverage them to gain complete control of your computer. In the case of Java attacks, this typically means enticing you to a web site containing malicious Java code.

Personally, I think this Java update is more important than all the patches in Oracle’s primary CPU, simply because almost everybody has Java installed. Right now, Java is one of the most targeted applications for drive-by download attacks, and every major underground web exploit framework has many Java exploits built-in. If you haven’t already, you should patch Java immediately. You can find more information on where to get the update in the Patch Availability Table of Oracle’s advisory.

In a related note, awhile back a research found a serious “sandbox escape” vulnerability in Java. This update still does not fix that particular flaw. The good news is the researcher has not disclosed the technical details about this flaw to the public, so attackers aren’t exploiting it in the wild. Nonetheless, I would still keep my eye out for a patch since I’m sure blackhat hackers are now searching for it.

Apple Releases Java Updates for OS X:

Finally, yesterday Apple also released Java updates for all current versions of OS X. Apple packages their own version of Java for OS X, probably to make it easier for users to run Java apps. This means when Oracle updates Java, Apple has to update their version separately.

Yesterday’s OS X Java updates fix the same vulnerabilities mentioned in the official Oracle update above; only OS X users need to install Apple’s version of the updates. If you use OS X, download and install Java for Mac OS X 10.6 Update 11 or Java for OS X 2012-006 immediately, or let Apple’s Software Update program do it for you.

As an aside, this update also removes the Java applet plugin from all OS X web browsers. This means when you visit a web page containing a Java applet, the browser will direct you to  download Oracle’s Java plugin. While this may cause more work for users, it will also ensure OS X users can get the latest version of Java. In the past, Apple has received flak for updating their version of Java much later than the original Oracle update. This change takes the pressure off Apple. — Corey Nachreiner, CISSP (@SecAdept)

%d bloggers like this: