This week Oracle released their quarterly Critical Patch Update (CPU) for April 2016. The CPU addresses 136 vulnerabilities in 49 products, including Java, Solaris, several middleware products, VirtualBox, the MySQL database and the original Oracle database.
Oracle does not mention any vulnerabilities that are under known attacks, but points out that there was an out-of-band release for Java to fix CVE-2016-0636 last month.
Java is one of the software packages that are constantly under attack. Java as a full fledged programming languages gives the attacker a large attack surface and then a wide array of tools to continue post-exploitation. This update fixes nine vulnerabilities with the most three most critical sporting a CVSS of 9.6. The top three apply only to client deployments of Java, so pay attention to them if you have Oracle installed on your desktops, especially if you allow Java applets or Java web start applications to run through the browser. Attackers have access to solid technology to exploit that type of vulnerability through Exploit Kits that can be easily acquired on the black markets. There is also a critical vulnerability CVE-2016-3449 that applies to server deployments of Java, so if you are an organization that runs Java in that very common configuration take a look whether you need to patch.
MySQL fixes 31 vulnerabilities in this release. Two vulnerabilities are rated critical (CVE-2016-0705 and CVE-2016-0639) and are accessible through the network. If you run MySQL and your databases are accessible through the internet you should take a close look at these two vulnerabilities.
The Oracle RDMBS fixes five vulnerabilities with ranges from CVSS 3.3 to 9.0. In the overall release this is a low number and you might be able to manage the risk and not update.
Oracle Middleware has a large number of vulnerabilities: Glassfish, Weblogic, iPlanet webserver all have critical vulnerabilities that you should patch if you run any of these products.
David Litchfield, security researcher at Google points out that critical CVE-2016-3466 and CVE-2016-0697 in the Oracle E-Business Suites can be used to gain privileged access to the underlying Oracle database. He promises a blog post with more details soon, but it makes sense to pay special attention to that update.
There are many patches for Oracle products, which you will have to check locally. A accurate inventory proves invaluable in deciding whether you are affected. How do you do this in your organization? Do you have a Application registry or do you enumerate applications automatically?
Check back here for updates, we will monitor for David Litchfield’s post on the E-business vulnerabilities.