Oracle Security Team

Hi, this is Eric Maurice.

Oracle today released two Critical Patch Updates: the April 2013 Critical Patch Update and the April 2013 Critical Patch Update for Java SE.  The previous blog entry provided a summary of the April 2013 Critical Patch Update, and this entry will discuss the content of the Critical Patch Update for Java SE.

The April 2013 Critical Patch Update for Java SE provides 42 new security fixes.  39 of the vulnerabilities fixed in this Critical Patch Update are remotely exploitable without authentication.  The maximum CVSS Base Score for these vulnerabilities is 10.0, and this score affect 19 different vulnerabilities. 

Out of the 42 vulnerabilities, only 2 can affect server deployments of Java.  Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited. 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java Autoupdate

For More Information:

The advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html.

Hello, this is Eric Maurice.

Oracle just released the April 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 128 new security vulnerabilities across a wide range of product families including the Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle FLEXCUBE, Oracle Industry Applications, Oracle Primavera, Oracle and Sun Systems Product Suite (including Sun Middleware Products), Oracle MySQL, and Oracle Support Tools. 

Of the 128 fixes included in this Critical Patch Update, 4 are for Oracle Database Server.  The most severe Database vulnerability has received a CVSS Base Score of 10.0 for the Windows platform and 7.5 on other platforms (e.g., Solaris, Linux).  This vulnerability is limited to Oracle Database 11.2.0.2 and 11.2.0.3 operating in RAC configurations. 

This Critical Patch Update also includes 29 security fixes for Oracle Fusion Middleware.  The most severe of these vulnerabilities has also received a CVSS Base Score of 10.0 and it in fact affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit.  In addition, a number of these fixes are for third-party components included in Oracle Fusion Middleware.

This Critical Patch Update includes a significant number of security fixes for Oracle Applications.  This high number is due in some part to the recent inclusion of new product lines in the Critical Patch Update (e.g., Oracle FLEXCUBE).  Oracle E-Business Suite receives 6 new security fixes, Oracle Supply Chain Products Suite receives 3, PeopleSoft Enterprise 11, Oracle Siebel CRM 8, Oracle Industry Applications 3, and Oracle FLEXCUBE 18.  In addition, this Critical Patch Update includes 2 security fixes for Oracle Primavera.

As with previous Critical Patch Updates, this Critical Patch Update also provides a significant number of security fixes for the Oracle and Sun Systems Products Suite.  18 new fixes for the Sun Product Suite are provided, including 16 fixes affecting Solaris and 2 for Oracle GlassFish Server.  The most severe of these vulnerabilities has received a CVSS Base Score of 6.4.  

Also included in this Critical Patch Update are 25 new security fixes for Oracle MySQL (the most severe of these bugs has received a CVSS Base Score of 6.8) and one new security fix for Oracle Support Tools (specifically Automatic Service Request (ASR), a support utility used to automatically generate service request in case of specific hardware failure). 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible so as to ensure that the in-depth security posture of the organization is maintained.  As a reminder, Oracle also today released a Critical Patch Update for Java SE.  The content of the Critical Patch Update for Java SE and a highlight of Oracle’s security plan for Java are discussed in a separate blog entry.

For More Information:

The Security Advisory for the April 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html

The Security Advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

More information about Oracle Software Security Assurance programs is located at http://www.oracle.com/us/support/assurance/index.html. 

Hello, this is Eric Maurice.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE. 

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

As always, Oracle recommends that this Security Alert be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java autoupdate. Desktop users should also be aware that Oracle has recently switched Java security settings to “high” by default.  This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.

As stated in previous blogs, Oracle is committed to accelerating the release of security fixes for Java SE, particularly to help address the security-worthiness of Java running in browsers.  The quick release of this Security Alert, the higher number of Java SE fixes included in recent Critical Patch Updates, and the announcement of an additional security release date for Java SE (the April 16th Critical Patch Update for Java SE) are examples of this commitment.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

For more information:

The Advisory for Security Alert CVE-2013-1493 can be found at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

More information about Oracle Software Security Assurance can be found at http://www.oracle.com/us/support/assurance/index.html. 

Hi, this is Eric Maurice.

Oracle today released the updated February 2013 Critical Patch Update for Java SE.  As discussed in a previous blog entry, the purpose of this update is to deliver 5 additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th.  Note that since Critical Patch Updates for Java SE are cumulative, this Critical Patch Update release also includes all previously-released Java SE security fixes.  

All but one of the vulnerabilities fixed today apply to client deployment of Java.  This means that these 4 vulnerabilities can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers.  Three of these vulnerabilities received a CVSS Base Score of 10.0.  As I stated before, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running the malicious Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System. 

The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE).  This fix is for a vulnerability commonly referred as the “Lucky Thirteen” vulnerability in SSL/TLS (CVE-2013-0169).  This vulnerability has received a CVSS Base Score of 4.3.

Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible.  IT professionals should refer to the advisory located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html and desktop users can install this new version from java.com or through the Java autoupdate.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Finally, note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.   As a result, we will be issuing a Critical Patch Update for Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products.  The next scheduled release dates for the Critical Patch Update for Java SE are therefore: April 16, 2013; June 18, 2013; October 15, 2013; and January 14, 2014. 

For More Information:

The Advisory for the updated February 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Hello, this is Eric Maurice.

On February 1st 2013, Oracle released the February 2013 Critical Patch Update for Java SE.  In the blog entry discussing this Critical Patch Update release, I stated that this Critical Patch Update was originally scheduled to be released on February 19th, and that Oracle decided to accelerate the release of this Critical Patch Update because of the exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers. 

As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE.  Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date. 

This updated February 2013 Critical Patch Update will be published on February 19th and will include the fixes that couldn’t be released on February 1st.  A new Critical Patch Update Advisory will also be published on February 19th on http://www.oracle.com/technetwork/topics/security/alerts-086861.html to include information about the additional fixes being released. 

Note that Critical Patch Updates for Java SE are cumulative.  As a result, organizations that may not have applied the February 1st release will be able to apply the updated Critical Patch Update when it is published, and will then gain the benefit of all previously released Java SE fixes.  As usual, desktop users will be able to install this new version from java.com or through the Java autoupdate.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

For More Information:

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html   

Hi, this is Eric Maurice again.

Oracle just released the February 2013 Critical Patch Update for Java SE.  The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update. 

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities.  44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).  In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.  In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops).  Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java;   that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components.  In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source. 

Finally, 2 of the vulnerabilities fixed in this Critical Patch Update only apply to server deployment of the Java Secure Socket Extension (JSSE). 

The maximum CVSS Base Score for the vulnerabilities fixed in this Critical Patch Update is 10.0.   This score affects 26 vulnerabilities: 23 of which are client-side vulnerabilities, and 3 applicable to client and server deployments.   

This Critical Patch Update is consistent with previous Java security releases, in that most of the vulnerabilities addressed in this Critical Patch Update only affect Java and Java FX client deployments.  This reflects the fact that the Java server environment is more secure than the Java Runtime Environment in browsers because servers operate in a more secure and controlled environment. 

 The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers.  Note however that, as stated in a previous blog entry, Oracle reports the most severe CVSS Base Score. 

Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to “high” by default.  The "high" security setting requires users to expressly authorize the execution of unsigned applets allowing a browser user to deny execution of a suspicious applet (where in the past a suspicious applet could execute "silently").  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  In addition, Oracle has recently introduced the ability for users to easily disable Java in their browsers through the Java Control Panel on Windows.

As stated at the beginning of this blog, Oracle decided to release this Critical Patch Update earlier than planned.  After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue.  Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers.  The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.

For more information:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about setting the security level in the Java client is available at http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Hi, this is Eric Maurice.

Today, Oracle released the January 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 86 vulnerabilities across a number of product families including the Oracle Database, Oracle Database Mobile Server, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, Oracle Siebel CRM, Oracle Sun Products Suite, Oracle Virtualization, and Oracle MySQL.  As a reminder, fixes for Java SE continue to be released on a separate schedule due to contractual commitments previously made with customers (the next Critical Patch Update for Java SE will be released on February 19, 2013); accordingly, this Critical Patch Update does not contain fixes for Java SE and it is not related to the recently released Security Alert CVE-2013-0422 intended for Java SE.

Of the 86 fixes, 1 is specific to Oracle Database Server; this vulnerability, which affects the Spatial component of the Database, has a CVSS Base Score of 9.0, and it is not remotely exploitable without authentication.  5 of the vulnerabilities are for the Oracle Database Mobile Server, typically used for connecting embedded devices and mobile applications to the Oracle Database.  The maximum CVSS Base Score for the 5 Oracle Database Mobile Server vulnerabilities is 10.0, and these vulnerabilities are all remotely exploitable without authentication.  Note also that 10 Enterprise Manager Grid Control fixes are applicable for Database deployments. 

This Critical Patch Update includes fixes for 7 security vulnerabilities in Oracle Fusion Middleware, 5 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 5.0. 

13 fixes are for Oracle Enterprise Manager Grid Control, 12 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Enterprise Manager vulnerabilities is 5.0.  As stated earlier, 10 of these Enterprise Manager Grid Control fixes are applicable for Database deployments.

This Critical Patch Update provides the following applications security fixes: 9 for E-Business Suite, 1 for Supply Chain Product Suite, 12 for PeopleSoft Enterprise, 1 for JDEdwards EntepriseOne, 10 for Siebel CRM.  As indicated in the Critical Patch Update Advisory, most Oracle applications deployments include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections for the Advisory, and these need to be patched as well.

Finally, this Critical Patch Update provides 8 fixes for Oracle Sun products Suite (the highest CVSS Base Score for these vulnerabilities is 6.6), 1 is for Oracle Virtualization (with a CVSS Base Score of 2.4), and 18 are for Oracle MySQL.  The highest CVSS Base Score for the MySQL vulnerabilities is 9.0 on Windows platforms, and 6.5 on other platforms (e.g. Linux). 

Oracle continues to recommend that, even though other mitigation measures may be available, Critical Patch Updates be applied as soon as possible in order for organizations to retain their security in depth posture. 

For More Information:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

The advisory for the January 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

More information about Oracle Software Security Assurance, including Oracle’s vulnerability fixing and disclosure policies is available at http://www.oracle.com/us/support/assurance/index.html. 

Hi, this is Eric Maurice again.

Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers.  These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java.  The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174.  These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0.  Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools.

The exploit conditions for these vulnerabilities are the same.  To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website.  The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system.  These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets. 

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default.  The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.