Skip navigation.

Oracle Security Team

Syndicate content
Updated: 14 hours 51 min ago

Security Alert CVE-2016-0603 Released

Fri, 2016-02-05 14:42

Oracle just released Security Alert CVE-2016-0603 to address a vulnerability that can be exploited when installing Java 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.

To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8. Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.

Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability. However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.

As a reminder, Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed. Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious.

For more information, the advisory for Security Alert CVE-2016-0603 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html

 

January 2016 Critical Patch Update Released

Tue, 2016-01-19 18:11

Oracle today released the January 2016 Critical Patch Update.  With this Critical Patch Update release, the Critical Patch Update program enters its 11th year of existence (the first Critical Patch Update was released in January 2005).  As a reminder, Critical Patch Updates are currently released 4 times a year, on a schedule announced a year in advance.  Oracle recommends that customers apply this Critical Patch Update as soon as possible.

The January 2016 Critical Patch Update provides fixes for a wide range of product families; including: 

  • Oracle Database
    • None of these database vulnerabilities are remotely exploitable without authentication. 
  • Java SE vulnerabilities
    • Oracle strongly recommends that Java home users visit the java.com web site, to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed.
  • Oracle E-Business Suite.
    • Oracle’s ongoing assurance effort with E-Business Suite helps remediate security issues and is intended to help enhance the overall security posture provided by E-Business Suite.

Oracle takes security seriously, and strongly encourages customers to keep up with newer releases in order to benefit from Oracle’s ongoing security assurance effort.  

For more information:

The January 2016 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

The Oracle Software Security Assurance web site is located at https://www.oracle.com/support/assurance/index.html.

Oracle Applications Lifetime Support Policy is located at http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf.

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:8.0pt; mso-para-margin-left:0in; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Security Alert CVE-2015-4852 Released

Tue, 2015-11-10 15:42

Hello, this is Eric Maurice.   

Oracle released Security Alert CVE-2015-4852 on November 10, 2015 to address the publicly-reported deserialization vulnerability involving Oracle WebLogic Server and the Apache Commons library.   Apache Commons is a project of the Apache Software Foundation, which provides and maintains a widely-used set of Java components.  This library is used by a number of Oracle products as well as many other vendors’ products and open source projects.   

According to Wikipedia, “serialization is the process of translating data structures or object state into a format that can be stored” (in a file, in memory, etc.).   Deserialization is the reverse process (the extraction of the data or object).  The security implications of deserialization have been known for a number of years.  OWASP refers to this kind of vulnerabilities as “deserialization of untrusted data.”  In a nutshell, security vulnerabilities may occur when software developers assume that serialized data can be trusted and is well-formed.    

Vulnerability CVE-2015-4852 has received a CVSS Base Score of 7.5.  If successfully exploited, it can result in remote code execution within Oracle WebLogic Server.  This vulnerability is remotely exploitable without authentication (in instances where the vulnerable component can be accessed by the malicious perpetrator in the absence of other controls such as network access restrictions).   

While permanent fixes are being prepared for Oracle WebLogic Server, this Security Alert provides mitigation instructions.  Please note that the Security Alert also provides instructions for cloud customers on how to obtain more information about the potential impact of this vulnerability in the Oracle Cloud.

For More Information:

The Advisory for Security Alert CVE-2015-4852 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html  

October 2015 Critical Patch Update Released

Tue, 2015-10-20 13:56

Hi, this is Eric Maurice. Oracle released the October 2015 Critical Patch Update today.  As a reminder, the Critical Patch Update is Oracle’s primary program for the release of security fixes across Oracle product lines. 

Critical Patch Updates are released 4 times a year, in a schedule that is announced a year in advance.  This predictability is intended to provide Oracle customers the ability to plan for the timely application of these security fixes, so that they can maintain their security posture.  In other words, the predictability of the Critical Patch Update schedule is intended to provide Oracle customers with the ability to include security patching in their regular maintenance activities. 

Periodically, Oracle continues to receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes.  In some instances, it was reported that malicious attackers were successful because targeted Oracle customers had not applied available security patches.  The problem of the non-application of security fixes is all too common in the industry, particularly around complex enterprise applications, due to their complexity, need for near-complete availability, and need for patch testing and validation prior to deployment in production. Oracle recommends that Critical Patch Updates be applied as soon as possible.  This recommendation is particularly important today because the October 2015 Critical Patch Update include a number of fixes for very severe vulnerabilities. 

The October 2015 Critical Patch Update provides fixes for 154 new security vulnerabilities across a wide range of product families, including: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.

Out of these 154 new security fixes, 8 are for the Oracle Database.  The most severe of these database vulnerabilities (CVE-2015-4863) has received a CVSS Base Score of 10.0.  This CVSS Base Score of 10.0 denotes a vulnerability that is remotely exploitable without authentication, which, if successfully exploited, can result in a full compromise of the targeted system.  In addition, 3 database vulnerabilities received a CVSS Base Score of 9.0. 

The October 2015 Critical Patch Update provides 15 new security fixes for Oracle Sun Systems Products Suite.  One of the vulnerabilities fixed with this Critical Patch Update (CVE-2015-4915), has received a CVSS Base Score of 10.0.  This vulnerability affects the Integrated Lights Out Manager (a.k.a. ILOM), which is used across a number of products.  In addition to applying the necessary patches as soon as possible, Oracle recommends that customers ensure the ILOM interface be not publicly accessible over the Internet.

This Critical Patch Update also provides 23 security fixes for Oracle Fusion Middleware, 16 of which are remotely exploitable without authentication.  The most severe CVSS Base Score reported for these vulnerabilities is 7.5. 

Oracle Hyperion receives one new security fix with a CVSS Base Score of 1.2.

Oracle Enterprise Manager Grid Control receives 5 new security fixes, 3 of which are remotely exploitable without authentication.  The highest reported CVSS Base Score for the vulnerabilities is 6.8.

This Critical Patch Update also includes a number of fixes for Oracle Applications, including 12 new security fixes for Oracle E-Business Suite (maximum reported CVSS Base Score for E-Business Suite is 6.8), 8 new fixes for Oracle Supply Chain Products Suite (maximum CVSS Base Score of 6.8), 8 new security fixes for Oracle PeopleSoft Enterprise products (maximum CVSS Base Score of 6.8), 1 new security fix for Oracle Siebel CRM (CVSS Base Score of 4.3). 

Oracle Industry Applications receive 14 new security fixes.  9 of these fixes are for Oracle Communications Applications, including 5 new fixes for a vulnerability rated with a CVSS Base Score of 10.0 (CVE-2015-2608 affects a component used on 5 of these products).  Oracle Retail Applications get 4 new fixes and the highest reported CVSS Base Score for these vulnerabilities is 7.5.

Oracle Java SE receives 25 new security fixes, 24 of which are remotely exploitable without authentication.  The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0.  20 of the Java SE vulnerabilities only affect client deployment of Java SE (e.g., Java in the browser).  The remaining 5 vulnerabilities affect client and server deployments of Java SE.  Java home users should visit the java.com web site, to ensure that they are using the most recent version of Java and remove obsolete JAVA SE versions from their desktop if they are not needed.

Due to the severity of a number of vulnerabilities fixed in this Critical Patch Update, Oracle recommends that the necessary patches be applied as soon as possible.  As of October 19th, the company’s security team didn’t have any indication that any of the most severe vulnerabilities fixed in this Critical Patch Update had been successfully exploited “in the wild” (some of these bugs were discovered internally as part of our ongoing assurance effort).  However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort.  Keeping up with security releases is important to help preserve a security-in-depth posture.  Fortunately, Critical Patch Update fixes for most Oracle products are cumulative, and this means that the application of the October 2015 Critical Patch Update will resolve not only the new vulnerabilities reported in today’s advisory, but also all the previously-reported security issues affecting the affected Oracle product versions.

For More Information:

The October 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html