What is the Stack Clash?

The Stack Clash is a vulnerability in the memory management of several operating systems. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64.  It can be exploited by attackers to corrupt memory and execute arbitrary code.

Qualys researchers discovered this vulnerability and developed seven exploits and seven proofs of concept for this weakness, then worked closely with vendors to develop patches. As a result we are releasing this advisory today as a coordinated effort, and patches for all distributions are available June 19, 2017. We strongly recommend that users place a high priority on patching these vulnerabilities immediately.

Continue reading …

Oracle kicked off the New Year with its first installment of the quarterly CPU (critical patch update) for 2017. The update contains fix for 270 security issues across wide range of products. The graph below shows distribution of the update. More than 100 vulnerabilities that were fixed could be compromised by a remote attacker without requiring any credentials. Most remote vulnerabilities could be exploited over the HTTP protocol.

Continue reading …

Oracle released another massive patch update today which fixed 253 security flaws across hundreds of Oracle products.  This year we have seen the updates getting bigger as compared to an average of 161 vulnerabilities 2015 and 128 vulnerabilities in 2014. Many components fixed in today’s release are remotely exploitable. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories. Other than the exception of Java there are no consumer products and administrators should focus on their individual patching domains.

Continue reading …

Today Oracle released its July critical patch update fixing 276 security issues across hundreds of Oracle products. On average in 2015 Oracle fixed about 161 vulnerabilities per update and the number was 128 in 2014. That makes today’s update the largest and here is a breakdown of the vulnerabilities. Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. The table lists components ordered by the number of issues and description below has details. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories.

Continue reading …

Oracle released its Critical Patch Update (CPU) for July 2014 with 115 patch updates to a variety of Oracle products. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on – workstation or server.

Continue reading …

Oracle released another massive critical patch update (CPU) today which contains 104 new security fixes. Java SE took the lion’s share of fixes followed by Fusion Middleware and MySQL. Only two vulnerabilities were fixed in the flagship Database Server 11g and 12c and both the vulnerabilities need credentials to be exploited remotely.

Continue reading …

Oracle released today its Critical Patch Update (CPU) for October 2013. The CPU is Oracle’s quarterly mechanism to publish updates for all of its supported products, including – for the first time in Oct 2013 – Java. Java used to be on a different update cycle of every four months, but as of this month, it is synchronized with the normal Oracle updates.

Continue reading …

Oracle released today its Critical Patch Update (CPU) for July 2013. The CPU is Oracle’s quarterly mechanism to publish updates for all of its supported products, with the exception of Java. Java is on a different update cycle of every four months, but it will be migrated to the same schedule beginning in October of 2013.

This month’s CPU contains 89 updates touching most of Oracle’s product groups. A large percentage (>40%) of the vulnerabilities addressed allow for remote unauthenticated access for the attacker and should be priority, particularly on applications that are exposed to the Internet.

Continue reading …

On November 9, 2011, Oracle announced the launch of Oracle Solaris 11 as the first fully virtualized operating system providing customers with comprehensive, built-in virtualization capabilities for OS, network and storage resources. Solaris 11 is designed to meet the security, performance and scalability requirements of cloud-based deployments allowing customers to run their enterprise applications in private, hybrid, or public clouds.

Working closely with Oracle during development and testing, Qualys is pleased to be the first vendor to add support for Oracle Solaris 11 within QualysGuard Policy Compliance.  The new compliance checks includes configuration checks based on the Oracle Solaris 11 hardening guideline, such as service checks, sshd_config checks, file permission and ownership checks.  This content is immediately available within QualysGuard Poilicy Compliance for all subscribers.

To enable support for Oracle Solaris 11, simply add your Oracle Solaris 11 IP addresses to a valid Unix authentication record. QualysGuard Scanner Appliances support Oracle Solaris 11 authentication as of ML 5.18.  Once successfully authenticated, QualysGuard Policy Compliance will scan Oracle Solaris 11 configurations and report results in a valid Oracle Solaris 11 policy.

For more information regarding QualysGuard Policy Compliance or how to configure QualysGuard Policy Compliance, please visit the Policy Compliance Community.