Oracle Security Team

Subscribe to Oracle Security Team feed
Oracle Blogs
Updated: 2 hours 48 min ago

June 2013 Critical Patch Update for Java SE Released

Tue, 2013-06-18 14:51

Hello, this is Eric Maurice again.

Oracle today released the June 2013 Critical Patch Update for Java SE.  This Critical Patch Update provides 40 new security fixes.  37 of these vulnerabilities are remotely exploitable without authentication.

34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments.  The highest CVSS Base Score for these client-only fixes is 10.0. 

 4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments.  The most severe of these vulnerabilities has received a CVSS Base Score of 7.5. 

One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally. 

Finally, one of the fixes included in this Critical Patch Update affects the Javadoc tool and the documents it creates.  Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection.  This means that this vulnerability (CVE-2013-1571, also known as CERT/CC VU#225657) can only be exploited through Javadoc-generated HTML files hosted on a web server.  If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers.  This vulnerability has received a CVSS Base Score of 4.3.  With the release of this Critical Patch Update, Oracle has fixed the Javadoc tool so that it doesn’t produce vulnerable pages anymore, and additionally produced a utility, the “Java API Documentation Updater Tool,” to fix previously produced (and vulnerable) HTML files.  More information about this vulnerability is available on the CERT/CC web site at http://www.kb.cert.org/vuls/id/225657. 

Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities.  Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way. 

Desktop users can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version.  As a reminder, security fixes delivered through the Critical Patch Update for Java SE are cumulative: in other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

For More Information:

The Advisory for the June 2013 Critical Patch Update for Java is located at http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

More information about the Javadoc tool is available at http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html

Maintaining the security-worthiness of Java is Oracle’s priority

Thu, 2013-05-30 09:57

Hi my name is Nandini Ramani, I lead the software development team building the Java platform.  My responsibilities span across the entire Java platform and include platform security. 

Over the past year, there have been several reports of security vulnerabilities in Java, primarily affecting Java running in Web browsers. This blog entry outlines the steps Oracle has taken to address issues with the security-worthiness of Java in web browsers and elsewhere following the acquisition of Sun Microsystems.

Whenever Oracle makes an acquisition, acquired product lines are required to conform to Oracle policies and procedures, including those comprising Oracle Software Security Assurance.  As a result, for example, the Java development organization had to adopt Oracle’s Security Fixing Policies, which among other things mandate that issues must be resolved in priority order and addressed within a certain period of time.

As a result of adopting these stricter procedures, as well as increasing investments in Java overall by Oracle, Java development significantly accelerated the production of security fixes.  Recently-released Critical Patch Updates for Java SE have contained a historically high number of security fixes.  In addition, Oracle decided to publish an additional security release in 2013. The April 2013 Critical Patch Update for Java SE will bring Java to four  security releases in 2013 as opposed to the three initially planned.  As a reminder, the February 2012 Critical Patch Update for Java SE provided 14 security fixes, the June 2012 release 14, the October 2012 release 30 (thus the total number of new security fixes provided through Critical Patch Updates for Java in 2012 was 58).  In contrast to these numbers, the February 2013 security releases provided 55 new security fixes, and the April 2013 Critical Patch Update for Java SE provided 42 new security fixes, bringing the total number of security fixes released through the Critical Patch Update for Java in the first half of 2013 to 97.

In addition to accelerating the release of security fixes for Java SE, Oracle’s additional investments have provided the organization with the ability to more quickly respond to reports of 0-days and other particularly severe vulnerabilities.  Java development has gained the ability to produce and test individual security fixes more quickly as evidenced by the quick releases of the most recent Java Security Alerts.  In other words, the procedural and technical changes implemented throughout Java development have enabled the organization to make improvements affecting both the Critical Patch Update program (scheduled release of a greater number of security fixes) and the Security Alert program (faster release of unscheduled security fixes in response to 0-days or particularly severe vulnerabilities).

Starting in October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products.  In other words, Java will now issue four annual security releases.  Obviously, Oracle will retain the ability to issue emergency “out of band” security fixes through the Security Alert program.

The implementation of Oracle Software Security Assurance policies and practices by Java development is also intended to defend against the introduction of new vulnerabilities into the Java code base.  For example, the Java development team has expanded the use of automated security testing tools, facilitating regular coverage over large sections of Java platform code.  The Java team has engaged with Oracle’s primary source code analysis provider to enhance the ability of the tool to work in the Java environment.  The team has also developed sophisticated analysis tools to weed out certain types of vulnerabilities (e.g., fuzzing tools).

Oracle is also addressing the limitations of the existing Java in browser trust/privileges model.  The company has made a number of product enhancements to  default security and provide more end user control over security.  In JDK 7 Update 2, Oracle added enhanced security warnings before executing applets with an old Java runtime. In JDK 7 Update 6, Oracle began dynamically updating information about security baselines – information used to determine if the current version of Java contains the latest security fixes available.  In JDK 7 Update 10, Oracle introduced a security slider configuration option, and provided for automatic security expiration of older Java versions (to make sure that users run the most recent versions of Java with a more restricted trust model than in older versions).  Further, with the release of JDK 7 Update 21, Oracle introduced the following changes:
  (1) The security model for signed applets was changed.  Previously, signing applets was only used to request increased application privileges.  With this update, signing applets establishes identity of the signer, but does not necessarily grant additional privileges.  As a result, it is now possible to run signed applets without allowing them to run outside the sandbox, and users can prevent the execution of any applets if they are not signed. 
  (2) The default plug-in security settings were changed to further discourage the execution of unsigned or self-signed applets.  This change is likely to impact most Java users, and Oracle urges organizations whose sites currently contain unsigned Java Applets to sign those Applets according to the documented recommendations.  Note, however, that users and administrators will be able to specifically opt out of this setting and choose a less secure deployment mode to allow for the execution of unsigned applets.  In the near future, by default, Java will no longer allow the execution of self-signed or unsigned code.
  (3) While Java provides the ability to check the validity of signed certificates through Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) calls before the execution of signed applets, the feature is not enabled by default because of a potential negative performance impact.  Oracle is making improvements to standardized revocation services to enable them by default in a future release.  In the interim, we have improved our static blacklisting to a dynamic blacklisting mechanism including daily updates for both blacklisted jar files and certificates.

Finally, while the security problems affecting Java in Internet browsers have generally not impacted Java running on servers, Oracle has found that the public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organizations committed to Java applications running on servers.  As a result, Oracle is taking steps to address the security implications of the wide Java distribution model, by further dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments).  With Java 7 update 21, Oracle has introduced a new type of Java distribution: “Server JRE.” 

Oracle has removed plugins from the Server JRE distribution to reduce attack surface but also to reduce customer confusion when evaluating server exploitation risk factors.  In the future, Oracle will explore stronger measures to further reduce attack surface including the removal of certain libraries typically unnecessary for server operation.  Such significant measures cannot be implemented in current versions of Java since they would violate current Java specifications, but Oracle has been working with other members of the Java Community Process to enable such changes in future versions of Java.

In addition, Oracle wants to improve the manageability of Java in enterprise deployments.  Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization.  The policy feature will, for example, allow  system administrators to restrict execution of Java applets to those found on specific hosts (e.g., corporate server assets, partners, etc) and thus reduce the risk of malware infection resulting from desktops accessing unauthorized and malicious hosts. 

It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment.  Oracle’s effort has already enabled the Java development team to deliver security fixes more quickly, resulting in fewer outstanding security bugs in Java.

For more information:
More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html
Java security documentation is located at http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html
Release notes for JDK 7 releases are located at http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html

April 2013 Critical Patch Update for Java SE Released

Tue, 2013-04-16 15:03

Hi, this is Eric Maurice.

Oracle today released two Critical Patch Updates: the April 2013 Critical Patch Update and the April 2013 Critical Patch Update for Java SE.  The previous blog entry provided a summary of the April 2013 Critical Patch Update, and this entry will discuss the content of the Critical Patch Update for Java SE.

The April 2013 Critical Patch Update for Java SE provides 42 new security fixes.  39 of the vulnerabilities fixed in this Critical Patch Update are remotely exploitable without authentication.  The maximum CVSS Base Score for these vulnerabilities is 10.0, and this score affect 19 different vulnerabilities. 

Out of the 42 vulnerabilities, only 2 can affect server deployments of Java.  Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited. 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java Autoupdate

For More Information:

The advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html.

April 2013 Critical Patch Update Released

Tue, 2013-04-16 15:02

Hello, this is Eric Maurice.

Oracle just released the April 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 128 new security vulnerabilities across a wide range of product families including the Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle FLEXCUBE, Oracle Industry Applications, Oracle Primavera, Oracle and Sun Systems Product Suite (including Sun Middleware Products), Oracle MySQL, and Oracle Support Tools. 

Of the 128 fixes included in this Critical Patch Update, 4 are for Oracle Database Server.  The most severe Database vulnerability has received a CVSS Base Score of 10.0 for the Windows platform and 7.5 on other platforms (e.g., Solaris, Linux).  This vulnerability is limited to Oracle Database 11.2.0.2 and 11.2.0.3 operating in RAC configurations. 

This Critical Patch Update also includes 29 security fixes for Oracle Fusion Middleware.  The most severe of these vulnerabilities has also received a CVSS Base Score of 10.0 and it in fact affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit.  In addition, a number of these fixes are for third-party components included in Oracle Fusion Middleware.

This Critical Patch Update includes a significant number of security fixes for Oracle Applications.  This high number is due in some part to the recent inclusion of new product lines in the Critical Patch Update (e.g., Oracle FLEXCUBE).  Oracle E-Business Suite receives 6 new security fixes, Oracle Supply Chain Products Suite receives 3, PeopleSoft Enterprise 11, Oracle Siebel CRM 8, Oracle Industry Applications 3, and Oracle FLEXCUBE 18.  In addition, this Critical Patch Update includes 2 security fixes for Oracle Primavera.

As with previous Critical Patch Updates, this Critical Patch Update also provides a significant number of security fixes for the Oracle and Sun Systems Products Suite.  18 new fixes for the Sun Product Suite are provided, including 16 fixes affecting Solaris and 2 for Oracle GlassFish Server.  The most severe of these vulnerabilities has received a CVSS Base Score of 6.4.  

Also included in this Critical Patch Update are 25 new security fixes for Oracle MySQL (the most severe of these bugs has received a CVSS Base Score of 6.8) and one new security fix for Oracle Support Tools (specifically Automatic Service Request (ASR), a support utility used to automatically generate service request in case of specific hardware failure). 

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible so as to ensure that the in-depth security posture of the organization is maintained.  As a reminder, Oracle also today released a Critical Patch Update for Java SE.  The content of the Critical Patch Update for Java SE and a highlight of Oracle’s security plan for Java are discussed in a separate blog entry.

For More Information:

The Security Advisory for the April 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html

The Security Advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

More information about Oracle Software Security Assurance programs is located at http://www.oracle.com/us/support/assurance/index.html. 

Security Alert CVE-2013-1493 Released

Mon, 2013-03-04 14:46

Hello, this is Eric Maurice.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE. 

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

As always, Oracle recommends that this Security Alert be applied as soon as possible.  Desktop users can install this new version from java.com or through the Java autoupdate. Desktop users should also be aware that Oracle has recently switched Java security settings to “high” by default.  This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.

As stated in previous blogs, Oracle is committed to accelerating the release of security fixes for Java SE, particularly to help address the security-worthiness of Java running in browsers.  The quick release of this Security Alert, the higher number of Java SE fixes included in recent Critical Patch Updates, and the announcement of an additional security release date for Java SE (the April 16th Critical Patch Update for Java SE) are examples of this commitment.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

For more information:

The Advisory for Security Alert CVE-2013-1493 can be found at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

More information about Oracle Software Security Assurance can be found at http://www.oracle.com/us/support/assurance/index.html. 

Updated February 2013 Critical Patch Update for Java SE Released

Tue, 2013-02-19 15:01

Hi, this is Eric Maurice.

Oracle today released the updated February 2013 Critical Patch Update for Java SE.  As discussed in a previous blog entry, the purpose of this update is to deliver 5 additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th.  Note that since Critical Patch Updates for Java SE are cumulative, this Critical Patch Update release also includes all previously-released Java SE security fixes.  

All but one of the vulnerabilities fixed today apply to client deployment of Java.  This means that these 4 vulnerabilities can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers.  Three of these vulnerabilities received a CVSS Base Score of 10.0.  As I stated before, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running the malicious Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System. 

The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE).  This fix is for a vulnerability commonly referred as the “Lucky Thirteen” vulnerability in SSL/TLS (CVE-2013-0169).  This vulnerability has received a CVSS Base Score of 4.3.

Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible.  IT professionals should refer to the advisory located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html and desktop users can install this new version from java.com or through the Java autoupdate.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Finally, note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.   As a result, we will be issuing a Critical Patch Update for Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products.  The next scheduled release dates for the Critical Patch Update for Java SE are therefore: April 16, 2013; June 18, 2013; October 15, 2013; and January 14, 2014. 

  

For More Information:

The Advisory for the updated February 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Pages