Oracle released today its Critical Patch Update (CPU) for October 2013. The CPU is Oracle’s quarterly mechanism to publish updates for all of its supported products, including – for the first time in Oct 2013 – Java. Java used to be on a different update cycle of every four months, but as of this month, it is synchronized with the normal Oracle updates.
Let’s start with Java as it widely installed and widely attacked; it should be on the top of your patch list for today. The update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication. The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines. Java 6 is also vulnerable to 11 of the 12 highly critical vulnerabilities, but there are no more public patches for Java 6. The recommended action for Java 6 here is to upgrade to Java 7 if possible. If you cannot upgrade, I would recommend to isolate the machine that needs Java 6 running and not use it for any other activities that connect it to the Internet, such as e-mail and browsing.
This rest of this month’s CPU contains 76 updates involving most of Oracle’s product families. Many of the vulnerabilities addressed allow for remote unauthenticated access for the attacker and should be high priority for you to address, particularly on applications that are exposed to the Internet.
Here is our priority list for the update:
- Oracle’s RDBMS has four updates this quarter, all being remotely exploitable. The XML parser vulnerability has the highest CVSS score of 6 (on a scale of 10). One mitigating factor is that Oracle databases are typically not exposed the Internet.
- Oracle’s MySQL database has eight new vulnerabilities addressed, with the highest score at 8.5 in the MySQL Monitoring component. All vulnerabilities that can be accessed through the network require authentication, though, including two that are remotely accessible and have a CVSS score of 6.8. MySQL is often found exposed to the Internet, even though this is not considered best practice. If you use MySQL in your organization, it makes sense to run a perimeter scan to collect information on all databases externally exposed.
- The Sun product family has 12 updates, with a high score of 6.9 in a SPARC server management module (ILOM). Usually access to these modules should be tightly controlled as they provide very powerful management functions such as power-on/off, etc., but we have seen just recently some research that shows that these interfaces often end up on the Internet. If you have Sun Solaris servers in your organization, review these patches and start with the machines on your perimeter and DMZ.
- Oracle’s Fusion Middleware has a total of 17 vulnerabilities, of which 12 are accessible remotely with a maximum CVSS score of 7.5. A good map of where you have Oracle Fusion Middleware products (such as the Identity Manager, GlassFish or Oracle Weblogic) installed is helpful, so that you can prioritize the patching process.
- Fusion also contains the Outside-In product that is used in Microsoft Exchange (and other software packages) for document viewing. Microsoft has addressed the vulnerabilities CVE-2013-2393, CVE-2013-3776 and CVE-2013-3781 in their August Patch Tuesday bulletin MS13-061, so we can expect the new vulnerabilities CVE-2013-5791 and CVE-2013-3624 to cause a new release of Exchange by Microsoft as well.
- Other product families with security updates include Peoplesoft, E-Business and Virtualization.
In order to address efficiently such a large patch release with over 120 vulnerabilities, we recommend working in the following sequence: Java first, as it is the most attacked software in this release, then vulnerabilities on services that are exposed to the Internet, such as Weblogic, HTTP and others. Hopefully your databases are not directly exposed to the Internet, which should give you more time to bring them to the latest patch levels.