Oracle Critical Patch Update October 2015

Oracle published their quarterly critical patch update October 2015 addressing 154 vulnerabilities distributed across 50+ different products. We will give you our read on the update and help with your prioritization.

1. Update for Oracle Java: The newest release for Java v8 is update 65. Oracle fixed 25 vulnerabilities and 24 can be attacked through remote channels There are seven vulnerabilities with the maximum CVSS score of 10. One of the lower severity vulnerabilities, CVE-2015-4902, has been used in the wild to bypass Java click-to-play protection in the browser. Trend Micro has published a blog post with the technical details and how the vulnerability was detected.

   Oracle still maintains Java v6 and v7, but only for customers with a maintenance contract. IT departments can use the Java version routing capabilities in the “Deployment Rulesets” to always run the latest Java, except for select applications that require the older version. This minimizes the attack surface as an attacker would have to have control over the application server to plant an exploit.

2. In the Sun Product Suite there are two vulnerabilities in the integrated LightsOut Manager (iLO) component. iLO is an system management component that allows console access and power on/off plus monitoring capabilities. You might remember that the iLO functionality on HP machines was susceptible to Heartbleed vulnerability this year. These network interfaces should be on separate network and only made accessible through additional authentication, but if your machines have the iLO ports on normal networks this is a high profile fix.
3. MySQL has 30 fixes with the highest CVSS score 9.0. Two of the vulnerabilities do not require authentication. In general we would not expect to have MySQL accessible over the network, except to known good client machines, but if your architecture requires this or you have instances in the past where MySQL was exposed even inadvertently, this is a good patch cluster to look at.
4. Similar reasoning applies to the Oracle RDBMS itself. Critical vulnerabilities exist, but since Oracle is usually installed deeper inside the enterprise network, the patch can wait until your next planned upgrade cycle. No need to rush anything with these critical applications, but you can take your time and apply first in dev, then QA to get plenty of testing time.
5. Middleware: By nature it is more accessible to attacks, so it is worth checking this set of patches to see if anything applies to your setup. The higher scoring vulnerabilities apply to very specific products, more common implementations such as Oracle HTTP and the Glassfish app server have CVSS scores of under five.

The remaining patches address various products ranging from Peoplesoft, Siebel and other acquisitions to Oracle Communications Applications. A good software inventory will be crucial in deciding where to install and test first.