Oracle released its Critical Patch Update (CPU) for July 2014 with 115 patch updates to a variety of Oracle products. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on – workstation or server.
Let’s take a look at the groups of software that are affected:
- Oracle Java, which has 20 vulnerabilities addressed. The most severe is CVE-2014-4227 with a CVSS score of 10.0 which affects Java v6, v7 and also the newest v8. There are another seven vulnerabilities that have a CVSS score of 9.3 that are considered critical. All of the critical vulnerabilities apply to client side installation of Java, i.e. Java on workstations that execute applets and Java Web start applications. Since Java has been on the radar for many cyber criminals and we have seen Java vulnerabilities included in common ExploitKits, you should address these problems as soon as possible.
- Oracle MySQL, with ten vulnerabilities addressed. The highest score is CVSS 6.5, indicating network accessible vulnerabilities that require authentication, i.e. a username and password to log into the database. We frequently see MySQL databases connected directly to the Internet, Shodan lists almost four million entries for the MySQL port 3306 that are not firewalled, so we recommend fast patching for these issues, especially if you are on that list of Internet accessible IP addresses. Oracle calls out that this update also includes a fix for the Heartbleed vulnerability (CVE-2014-0160) in the MySQL Enterprise server 5.6
- Oracle RDBMS, the flagship product of Oracle that many associate with the brand Oracle. Five vulnerabilities addressed, the most severe with a CVSS score of 9.0 in the XML parser of the included HTTP module: CVE-2013-3751, only present in RDBMS v12, in v11 the vulnerability was fixed last year already.
- In the virtualization space, Oracle addresses 15 vulnerabilities, including seven in the popular virtualization software VirtualBox.
- Oracle Fusion Middleware, which mainly groups all of the Oracle application servers: Glassfish, Weblogic, iPlanet and HTTP. 29 vulnerabilities all-in-all, with the highest severity of 7.5 found in CVE-2013-1741.
Further there are seven updates for Oracle Hyperion, six for Siebel CRM, five for E-Business, five for PeopleSoft, four for Solaris, three for Supply Chain and one each for Grid Control, Retail and Communications.
Oracle reported no updates for Oracle Outside In component. Outside In is used by Microsoft Exchange server as a library and a flaw here would cause an update by Microsoft in one of the following months – not this time, so you’re safe for another quarter.
So, as expected a big update by Oracle. A good inventory of installed software is crucial to assure that you address all installed versions. But start by focusing on the basics: Java, MySQL and then Oracle RDBMS.