Oracle Security Team

Subscribe to Oracle Security Team feed
Oracle Blogs
Updated: 11 hours 18 min ago

October 2016 Critical Patch Update Released

Tue, 2016-10-18 08:00

Oracle today released the October 2016 Critical Patch Update.

This Critical Patch Update provides fixes for a wide range of product families including: Oracle Database Server, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle recommends this Critical Patch Update be applied as soon as possible. A summary and analysis of this Critical Patch Update has been published on My Oracle Support (Doc ID 2193091.1)

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

My Oracle Support Note 2193091.11 is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2193091.1 (MOS account required).

Unmasking Hackers with User Behavior Analytics

Tue, 2016-09-06 08:00

Many people keep sensitive documents in cloud storage services and the latest breach shows that hackers are focusing on online storage cloud services more frequently. This opens the door to huge vulnerabilities if employees are storing sensitive enterprise information in the cloud. From a preventative perspective, security personnel should review their security measures for the following:

  1. Require multi-factor authentication to access the application
  2. Enforce password strength and complexity requirements
  3. Require and enforce frequent password resets for employees

But manual processes and policies are not enough. At minimum, enterprises should look at automating the enforcement of these policies. For example, you may require multi-factor authentication, but how do you ensure that it's required at all times? A cloud access security broker (CASB) continuously monitors configurations to alert security personnel when changes are made, and automatically creates incident tickets to revert security configurations back to the default setting.   How can enterprises prevent further damage if their employees' credentials were compromised in this hack? We recommend utilizing user behavior analytics (UBA) to look for anomalous activity in an account. UBA uses advanced machine learning techniques to create a baseline for normal behavior for each user. If a hacker is accessing an employee's account using stolen credentials, UBA will flag a number of indicators that this access deviates from the normal behavior of a legitimate user.   Palerra LORIC is a cloud access security broker (CASB) that supports cloud storage services. Here's a few indicators LORIC can use to unmask a potential hacker with stolen credentials:

  1. Flag a login from an unusual IP address or geographic location
  2. Detect a spike in number of file downloads compared to normal user activity
  3. Detect logins outside of normal access hours for the user
  4. Detect anomalous file sharing or file previewing activities

The ability to gauge legitimate access and activities becomes even more important when you consider that many people use the same password for multiple applications. Instead of just protecting a single online storage cloud service, UBA helps the enterprise protect any cloud environment that could be accessed using the stolen passwords.

If you're concerned that hackers may access your cloud storage environment using stolen employee credentials, you should take preventative and remedial action. Adding a cloud security automation tool help prevents a breach by enforcing password best practices, and helps prevents additional damage after a breach by unmasking hackers posing as legitimate users by flagging anomalous activity.

July 2016 Critical Patch Update Released

Tue, 2016-07-19 14:51

Oracle today released the July2016 Critical Patch Update.

This Critical Patch Update provides fixes for a wide rangeof product families including: Oracle Database Server, Oracle E-Business Suite,Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products,Oracle Java SE, and Oracle MySQL.

Oracle recommends this Critical Patch Update be applied assoon as possible. A summary and analysis of this Critical Patch Update has beenpublished on My Oracle Support (MOS Note 2161607.1)

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

My Oracle Support Note 2161607.1 is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2161607.1 (MOS account required).

July 2016 Critical Patch Update Released

Tue, 2016-07-19 14:51

Oracle today released the July 2016 Critical Patch Update.

This Critical Patch Update provides fixes for a wide range of product families including: Oracle Database Server, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle recommends this Critical Patch Update be applied as soon as possible. A summary and analysis of this Critical Patch Update has been published on My Oracle Support (MOS Note 2161607.1)

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

My Oracle Support Note 2161607.1 is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2161607.1 (MOS account required).

July 2016 Critical Patch Update Released

Tue, 2016-07-19 08:00

Oracle today released the July 2016 Critical Patch Update.

This Critical Patch Update provides fixes for a wide range of product families including: Oracle Database Server, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle recommends this Critical Patch Update be applied as soon as possible. A summary and analysis of this Critical Patch Update has been published on My Oracle Support (MOS Note 2161607.1)

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

My Oracle Support Note 2161607.1 is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2161607.1 (MOS account required).

Why Monitoring Alone is Not Enough in Cloud Security

Tue, 2016-07-19 07:00

Comprehensive threat intelligence is key for ensuring accuracy and maximize effectiveness of automated security solutions. Monitoring alone is not enough to correctly identify and remediate a breach. And, while human supervision will always be part of the security equation, the overwhelming amount of data accessible from cloud providers makes it impossible for security personnel to identify and remediate all threats. Here are three ways organizations can use threat intelligence to enhance their current security measures and go beyond simply monitoring their cloud environment:

  1. Require multi-factor authentication: Multi-factor authentication gives the end user more visibility into potential attacks on their account, and they'll change their password before a breach occurs. But how do you ensure that multi-factor authentication is required at all times? A cloud security automation platform continuously monitors security configurations to alert security personnel when changes are made, and automatically creates incident tickets to revert security configurations back to the default setting.

  2. Configure password policies and strength to maintain password integrity: Many people use the same password to log into multiple service providers, and most do not regularly update their passwords. Organizations should configure password policies to ensure passwords expire every 90 days, and cap the number of recycled passwords that can be used. An automated security system enforces password strength requirements to reduce the likelihood of a breach. These systems can flag changes to the password settings, which might indicate an insider threat or hacker access to your system.

  3. Utilize comprehensive threat intelligence: In order to focus on the most credible threats, your security team needs clear, actionable information. Using key security indicators in your automation program can consolidate and correlate data to provide instant insight into the security posture of your cloud services. By setting up custom notifications for likely threat scenarios, security teams can focus on the most immediate threats instead of chasing down potentially useless information.

It's not enough to simply monitor cloud services or have a "set it and forget it" mindset about security configurations. Instead, companies must leverage cloud security automation to bring the most immediate and credible threats to the attention of the security team.

Can a CASB Protect You From the Treacherous 12? - Part 4: CASBs and the Treacherous 7 through 12

Thu, 2016-04-21 07:00

Welcome to the fourth in a four-part series on how Cloud Access Security Brokers (CASBs) can help protect your organization from the top twelve threats to cloud computing in 2016. If you want to read the first three blogs, their links are provided below.  

This blog series examines whether a CASB can protect your organization from the top cloud computing threats identified by a Cloud Security Alliance (CSA) working group. The four-part series includes:

- Part 1: CASB 101
- Part 2: CASBs and Threat Detection
- Part 3: CASBs and the Treacherous 1- 6
- Part 4: CASBs and the Treacherous 7-12

CASBs and the Treacherous 7 through 12

The final 6 of the "Treacherous 12" threats that the CSA working group identified are:

7. Advanced Persistent Threats (APTs)
8. Data loss
9. Insufficient due diligence
10. Abuse and nefarious use of cloud services
11. Denial of Service (DoS)
12. Shared technology issues

Here is a definition and an anecdote for each of these threats, along with an assessment of whether a Cloud Access Security Broker (CASB) like Palerra can help protect against it.

7. Advanced Persistent Threats (APTs)
An APT is a parasitical form of cyberattack that infiltrates systems and establishes a foothold in the computing infrastructure. Once the foothold is in place, the perpetrator can smuggle data and intellectual property. 

A CASB can help with APT attacks. A CASB can help detect anomalies in inbound and outbound data to identify data exfiltration, which further enables you to discover that a network is the target of an attack. 

8. Data loss
Data loss can be due to malicious attacks, accidental deletion by the cloud service provider, or a physical catastrophe such as a fire or earthquake.

A CASB is not the solution in this case. Cloud service providers should take measures to back up data according to best practices in business continuity and disaster recovery. Consumers of these services should review the service provider's data loss provisions. 

9. Insufficient due diligence
When a business is under pressure to leverage the benefits of the cloud, the selection process for adopting cloud technologies and choosing cloud service providers can get rushed and proper due diligence can be skipped. When that occurs, organizations are exposing a myriad of commercial, financial, technical, legal, and compliance risks. 

A CASB is not the solution in this case. Executives need to develop a good roadmap and checklist for due diligence when evaluating technologies and cloud service providers. A CASB can help in that process, but the responsibility is with the executives. 

10. Abuse and nefarious use of cloud services
Poorly secured cloud service deployments, free cloud service trials, and account sign-ups that exploit fraudulent payment instruments expose all cloud computing models (including IaaS, Paas, and SaaS). 

A CASB can help monitor identity as a service (IaaS) workloads and software as a service (SaaS) access patterns to better detect suspicious activity such as abnormal launches and terminations of compute instances and abnormal user access patterns.

11. Denial of Service (DoS)
A DoS attack is meant to prevent users of a service from being able to access their data or applications. DoS attacks also flood the cloud service provider with access requests, with the intent of disrupting the service.

A CASB is not the solution in this case. Cloud providers hold the responsibility for taking appropriate precautions to mitigate the impact of DoS attacks.

12. Shared technology issues
Cloud service providers deliver scalable services by sharing infrastructure, platforms, or applications. Because of this shared architecture, one vulnerability or misconfiguration can lead to a compromise across IaaS, PaaS, and SaaS. For example, the VENOM vulnerability allowed attackers to compromise any virtualized platform, which opened millions of virtual machines to attack.

A CASB can help with monitoring of compute, storage, network, and application resources, as well as user security enforcement and cloud service configurations, whether the service model is IaaS, PaaS, or SaaS. However, not all CASBs cover all areas, so be sure that you are working with one that does.

This is the final blog post in the four-part series. For additional information, check out our white paper, "Can a CASB Protect You from the 2016 Treacherous 12?". Or if you prefer an abbreviated format, check out our infographic on the same topic.

April 2016 Critical Patch Update Released

Tue, 2016-04-19 15:02

Oracle today released the April 2016 Critical Patch Update.

This Critical Patch Update provides fixes for a wide range of product families including: Oracle Database Server, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle recommends this Critical Patch Update be applied as soon as possible. A summary and analysis of this Critical Patch Update has been published on My Oracle Support (MOS Note 2126904.1)

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

My Oracle Support Note 2126904.1 is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2126904.1 (MOS account required).

April 2016 Critical Patch Update Released

Tue, 2016-04-19 15:02

Oracle today released the April 2016 Critical Patch Update.

This Critical Patch Update provides fixes for a wide range of product families including: Oracle Database Server, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle recommends this Critical Patch Update be applied as soon as possible. A summary and analysis of this Critical Patch Update has been published on My Oracle Support (MOS Note 2126904.1)

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

My Oracle Support Note 2126904.1 is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2126904.1 (MOS account required).

April 2016 Critical Patch Update Released

Tue, 2016-04-19 07:00

Oracle today released the April 2016 Critical Patch Update.

This Critical Patch Update provides fixes for a wide range of product families including: Oracle Database Server, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle recommends this Critical Patch Update be applied as soon as possible. A summary and analysis of this Critical Patch Update has been published on My Oracle Support (MOS Note 2126904.1)

For More Information:

The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

My Oracle Support Note 2126904.1 is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2126904.1 (MOS account required).

Security Alert CVE-2016-0636 Released

Wed, 2016-03-23 14:46

Oracle released SecurityAlert CVE-2016-0636 to address a vulnerability affecting Java SE in webbrowsers on desktops. This vulnerabilityhas received a CVSS Base Score of 9.3 and is remotely exploitable withoutauthentication. A successfulexploitation of this vulnerability would typically require an unsuspecting userrunning an affected version of Java SE to visit a malicious web site.

Oracle recommends customers apply this Security Alert assoon as possible. Oracle recommends that Java home users visit Java.com to ensure that they are running themost recent version of Java SE and that all older versions of Java SE have beencompletely removed. Oracle further advises against downloading Java from sitesother than Java.com as these sites may be malicious.


For more information:

The Advisory for Security AlertCVE-2016-0636 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html

Security Alert CVE-2016-0636 Released

Wed, 2016-03-23 14:46

Oracle released Security Alert CVE-2016-0636 to address a vulnerability affecting Java SE in web browsers on desktops. This vulnerability has received a CVSS Base Score of 9.3 and is remotely exploitable without authentication. A successful exploitation of this vulnerability would typically require an unsuspecting user running an affected version of Java SE to visit a malicious web site.

Oracle recommends customers apply this Security Alert as soon as possible. Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed. Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious.


For more information:

The Advisory for Security Alert CVE-2016-0636 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:8.0pt; mso-para-margin-left:0in; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Security Alert CVE-2016-0603 Released

Fri, 2016-02-05 14:42

Oracle just released Security Alert CVE-2016-0603 to address a vulnerability that can be exploited when installing Java 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.

To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8. Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.

Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability. However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.

As a reminder, Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed. Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious.

For more information, the advisory for Security Alert CVE-2016-0603 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html

Security Alert CVE-2016-0603 Released

Fri, 2016-02-05 14:42

Oracle just released Security Alert CVE-2016-0603 to address a vulnerability that can be exploited when installing Java 6, 7 or 8 on the Windows platform. This vulnerability has received a CVSS Base Score of 7.6.

To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files to the user's system before installing Java 6, 7 or 8. Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.

Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability. However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later.

As a reminder, Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed. Oracle further advises against downloading Java from sites other than Java.com as these sites may be malicious.

For more information, the advisory for Security Alert CVE-2016-0603 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html

 

January 2016 Critical Patch Update Released

Tue, 2016-01-19 18:11

Oracle today released the January2016 Critical Patch Update.  With this Critical Patch Update release,the CriticalPatch Update program enters its 11th year of existence(the first Critical Patch Update was released in January 2005).  As areminder, Critical Patch Updates are currently released 4 times a year, on aschedule announced a year in advance.  Oracle recommends that customersapply this Critical Patch Update as soon as possible.

TheJanuary2016 Critical Patch Update provides fixes for a wide range of productfamilies; including: 

  • Oracle Database
    • None of these database vulnerabilities are remotely exploitable without authentication. 
  • Java SE vulnerabilities
    • Oracle strongly recommends that Java home users visit the java.com web site, to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed.
  • Oracle E-Business Suite.
    • Oracle’s ongoing assurance effort with E-Business Suite helps remediate security issues and is intended to help enhance the overall security posture provided by E-Business Suite.

Oracletakes security seriously, and stronglyencourages customers to keep up with newer releases in order tobenefit from Oracle’s ongoing security assurance effort.  

Formore information:

TheJanuary 2016 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

TheOracle Software Security Assurance web site is located at https://www.oracle.com/support/assurance/index.html.

OracleApplications Lifetime Support Policy is located at http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf.

January 2016 Critical Patch Update Released

Tue, 2016-01-19 18:11

Oracle today released the January 2016 Critical Patch Update.  With this Critical Patch Update release, the Critical Patch Update program enters its 11th year of existence (the first Critical Patch Update was released in January 2005).  As a reminder, Critical Patch Updates are currently released 4 times a year, on a schedule announced a year in advance.  Oracle recommends that customers apply this Critical Patch Update as soon as possible.

The January 2016 Critical Patch Update provides fixes for a wide range of product families; including: 

  • Oracle Database
    • None of these database vulnerabilities are remotely exploitable without authentication. 
  • Java SE vulnerabilities
    • Oracle strongly recommends that Java home users visit the java.com web site, to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed.
  • Oracle E-Business Suite.
    • Oracle’s ongoing assurance effort with E-Business Suite helps remediate security issues and is intended to help enhance the overall security posture provided by E-Business Suite.

Oracle takes security seriously, and strongly encourages customers to keep up with newer releases in order to benefit from Oracle’s ongoing security assurance effort.  

For more information:

The January 2016 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

The Oracle Software Security Assurance web site is located at https://www.oracle.com/support/assurance/index.html.

Oracle Applications Lifetime Support Policy is located at http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf.

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:8.0pt; mso-para-margin-left:0in; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Security Alert CVE-2015-4852 Released

Tue, 2015-11-10 15:42

Hello, this is Eric Maurice.   

Oracle released Security Alert CVE-2015-4852 on November 10, 2015 to address the publicly-reported deserialization vulnerability involving Oracle WebLogic Server and the Apache Commons library.   Apache Commons is a project of the Apache Software Foundation, which provides and maintains a widely-used set of Java components.  This library is used by a number of Oracle products as well as many other vendors’ products and open source projects.   

According to Wikipedia, “serialization is the process of translating data structures or object state into a format that can be stored” (in a file, in memory, etc.).   Deserialization is the reverse process (the extraction of the data or object).  The security implications of deserialization have been known for a number of years.  OWASP refers to this kind of vulnerabilities as “deserialization of untrusted data.”  In a nutshell, security vulnerabilities may occur when software developers assume that serialized data can be trusted and is well-formed.    

Vulnerability CVE-2015-4852 has received a CVSS Base Score of 7.5.  If successfully exploited, it can result in remote code execution within Oracle WebLogic Server.  This vulnerability is remotely exploitable without authentication (in instances where the vulnerable component can be accessed by the malicious perpetrator in the absence of other controls such as network access restrictions).   

While permanent fixes are being prepared for Oracle WebLogic Server, this Security Alert provides mitigation instructions.  Please note that the Security Alert also provides instructions for cloud customers on how to obtain more information about the potential impact of this vulnerability in the Oracle Cloud.

For More Information:

The Advisory for Security Alert CVE-2015-4852 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html  

Security Alert CVE-2015-4852 Released

Tue, 2015-11-10 15:42

Hello, this is Eric Maurice.   

Oracle released Security Alert CVE-2015-4852 on November 10, 2015 to address the publicly-reported deserialization vulnerability involving Oracle WebLogic Server and the Apache Commons library.   Apache Commons is a project of the Apache Software Foundation, which provides and maintains a widely-used set of Java components.  This library is used by a number of Oracle products as well as many other vendors’ products and open source projects.   

According to Wikipedia, “serialization is the process of translating data structures or object state into a format that can be stored” (in a file, in memory, etc.).   Deserialization is the reverse process (the extraction of the data or object).  The security implications of deserialization have been known for a number of years.  OWASP refers to this kind of vulnerabilities as “deserialization of untrusted data.”  In a nutshell, security vulnerabilities may occur when software developers assume that serialized data can be trusted and is well-formed.    

Vulnerability CVE-2015-4852 has received a CVSS Base Score of 7.5.  If successfully exploited, it can result in remote code execution within Oracle WebLogic Server.  This vulnerability is remotely exploitable without authentication (in instances where the vulnerable component can be accessed by the malicious perpetrator in the absence of other controls such as network access restrictions).   

While permanent fixes are being prepared for Oracle WebLogic Server, this Security Alert provides mitigation instructions.  Please note that the Security Alert also provides instructions for cloud customers on how to obtain more information about the potential impact of this vulnerability in the Oracle Cloud.

For More Information:

The Advisory for Security Alert CVE-2015-4852 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html  

October 2015 Critical Patch Update Released

Tue, 2015-10-20 14:56

Hi, this is Eric Maurice. Oracle released the October 2015 Critical Patch Update today.  As a reminder, the Critical Patch Update is Oracle’s primary program for the release of security fixes across Oracle product lines. 

Critical Patch Updates are released 4 times a year, in a schedule that is announced a year in advance.  This predictability is intended to provide Oracle customers the ability to plan for the timely application of these security fixes, so that they can maintain their security posture.  In other words, the predictability of the Critical Patch Update schedule is intended to provide Oracle customers with the ability to include security patching in their regular maintenance activities. 

Periodically, Oracle continues to receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes.  In some instances, it was reported that malicious attackers were successful because targeted Oracle customers had not applied available security patches.  The problem of the non-application of security fixes is all too common in the industry, particularly around complex enterprise applications, due to their complexity, need for near-complete availability, and need for patch testing and validation prior to deployment in production. Oracle recommends that Critical Patch Updates be applied as soon as possible.  This recommendation is particularly important today because the October 2015 Critical Patch Update include a number of fixes for very severe vulnerabilities. 

The October 2015 Critical Patch Update provides fixes for 154 new security vulnerabilities across a wide range of product families, including: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.

Out of these 154 new security fixes, 8 are for the Oracle Database.  The most severe of these database vulnerabilities (CVE-2015-4863) has received a CVSS Base Score of 10.0.  This CVSS Base Score of 10.0 denotes a vulnerability that is remotely exploitable without authentication, which, if successfully exploited, can result in a full compromise of the targeted system.  In addition, 3 database vulnerabilities received a CVSS Base Score of 9.0. 

The October 2015 Critical Patch Update provides 15 new security fixes for Oracle Sun Systems Products Suite.  One of the vulnerabilities fixed with this Critical Patch Update (CVE-2015-4915), has received a CVSS Base Score of 10.0.  This vulnerability affects the Integrated Lights Out Manager (a.k.a. ILOM), which is used across a number of products.  In addition to applying the necessary patches as soon as possible, Oracle recommends that customers ensure the ILOM interface be not publicly accessible over the Internet.

This Critical Patch Update also provides 23 security fixes for Oracle Fusion Middleware, 16 of which are remotely exploitable without authentication.  The most severe CVSS Base Score reported for these vulnerabilities is 7.5. 

Oracle Hyperion receives one new security fix with a CVSS Base Score of 1.2.

Oracle Enterprise Manager Grid Control receives 5 new security fixes, 3 of which are remotely exploitable without authentication.  The highest reported CVSS Base Score for the vulnerabilities is 6.8.

This Critical Patch Update also includes a number of fixes for Oracle Applications, including 12 new security fixes for Oracle E-Business Suite (maximum reported CVSS Base Score for E-Business Suite is 6.8), 8 new fixes for Oracle Supply Chain Products Suite (maximum CVSS Base Score of 6.8), 8 new security fixes for Oracle PeopleSoft Enterprise products (maximum CVSS Base Score of 6.8), 1 new security fix for Oracle Siebel CRM (CVSS Base Score of 4.3). 

Oracle Industry Applications receive 14 new security fixes.  9 of these fixes are for Oracle Communications Applications, including 5 new fixes for a vulnerability rated with a CVSS Base Score of 10.0 (CVE-2015-2608 affects a component used on 5 of these products).  Oracle Retail Applications get 4 new fixes and the highest reported CVSS Base Score for these vulnerabilities is 7.5.

Oracle Java SE receives 25 new security fixes, 24 of which are remotely exploitable without authentication.  The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0.  20 of the Java SE vulnerabilities only affect client deployment of Java SE (e.g., Java in the browser).  The remaining 5 vulnerabilities affect client and server deployments of Java SE.  Java home users should visit the java.com web site, to ensure that they are using the most recent version of Java and remove obsolete JAVA SE versions from their desktop if they are not needed.

Due to the severity of a number of vulnerabilities fixed in this Critical Patch Update, Oracle recommends that the necessary patches be applied as soon as possible.  As of October 19th, the company’s security team didn’t have any indication that any of the most severe vulnerabilities fixed in this Critical Patch Update had been successfully exploited “in the wild” (some of these bugs were discovered internally as part of our ongoing assurance effort).  However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort.  Keeping up with security releases is important to help preserve a security-in-depth posture.  Fortunately, Critical Patch Update fixes for most Oracle products are cumulative, and this means that the application of the October 2015 Critical Patch Update will resolve not only the new vulnerabilities reported in today’s advisory, but also all the previously-reported security issues affecting the affected Oracle product versions.

For More Information:

The October 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html 

October 2015 Critical Patch Update Released

Tue, 2015-10-20 14:56

Hi, this is Eric Maurice. Oracle released the October 2015 Critical Patch Update today.  As a reminder, the Critical Patch Update is Oracle’s primary program for the release of security fixes across Oracle product lines. 

Critical Patch Updates are released 4 times a year, in a schedule that is announced a year in advance.  This predictability is intended to provide Oracle customers the ability to plan for the timely application of these security fixes, so that they can maintain their security posture.  In other words, the predictability of the Critical Patch Update schedule is intended to provide Oracle customers with the ability to include security patching in their regular maintenance activities. 

Periodically, Oracle continues to receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes.  In some instances, it was reported that malicious attackers were successful because targeted Oracle customers had not applied available security patches.  The problem of the non-application of security fixes is all too common in the industry, particularly around complex enterprise applications, due to their complexity, need for near-complete availability, and need for patch testing and validation prior to deployment in production. Oracle recommends that Critical Patch Updates be applied as soon as possible.  This recommendation is particularly important today because the October 2015 Critical Patch Update include a number of fixes for very severe vulnerabilities. 

The October 2015 Critical Patch Update provides fixes for 154 new security vulnerabilities across a wide range of product families, including: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.

Out of these 154 new security fixes, 8 are for the Oracle Database.  The most severe of these database vulnerabilities (CVE-2015-4863) has received a CVSS Base Score of 10.0.  This CVSS Base Score of 10.0 denotes a vulnerability that is remotely exploitable without authentication, which, if successfully exploited, can result in a full compromise of the targeted system.  In addition, 3 database vulnerabilities received a CVSS Base Score of 9.0. 

The October 2015 Critical Patch Update provides 15 new security fixes for Oracle Sun Systems Products Suite.  One of the vulnerabilities fixed with this Critical Patch Update (CVE-2015-4915), has received a CVSS Base Score of 10.0.  This vulnerability affects the Integrated Lights Out Manager (a.k.a. ILOM), which is used across a number of products.  In addition to applying the necessary patches as soon as possible, Oracle recommends that customers ensure the ILOM interface be not publicly accessible over the Internet.

This Critical Patch Update also provides 23 security fixes for Oracle Fusion Middleware, 16 of which are remotely exploitable without authentication.  The most severe CVSS Base Score reported for these vulnerabilities is 7.5. 

Oracle Hyperion receives one new security fix with a CVSS Base Score of 1.2.

Oracle Enterprise Manager Grid Control receives 5 new security fixes, 3 of which are remotely exploitable without authentication.  The highest reported CVSS Base Score for the vulnerabilities is 6.8.

This Critical Patch Update also includes a number of fixes for Oracle Applications, including 12 new security fixes for Oracle E-Business Suite (maximum reported CVSS Base Score for E-Business Suite is 6.8), 8 new fixes for Oracle Supply Chain Products Suite (maximum CVSS Base Score of 6.8), 8 new security fixes for Oracle PeopleSoft Enterprise products (maximum CVSS Base Score of 6.8), 1 new security fix for Oracle Siebel CRM (CVSS Base Score of 4.3). 

Oracle Industry Applications receive 14 new security fixes.  9 of these fixes are for Oracle Communications Applications, including 5 new fixes for a vulnerability rated with a CVSS Base Score of 10.0 (CVE-2015-2608 affects a component used on 5 of these products).  Oracle Retail Applications get 4 new fixes and the highest reported CVSS Base Score for these vulnerabilities is 7.5.

Oracle Java SE receives 25 new security fixes, 24 of which are remotely exploitable without authentication.  The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0.  20 of the Java SE vulnerabilities only affect client deployment of Java SE (e.g., Java in the browser).  The remaining 5 vulnerabilities affect client and server deployments of Java SE.  Java home users should visit the java.com web site, to ensure that they are using the most recent version of Java and remove obsolete JAVA SE versions from their desktop if they are not needed.

Due to the severity of a number of vulnerabilities fixed in this Critical Patch Update, Oracle recommends that the necessary patches be applied as soon as possible.  As of October 19th, the company’s security team didn’t have any indication that any of the most severe vulnerabilities fixed in this Critical Patch Update had been successfully exploited “in the wild” (some of these bugs were discovered internally as part of our ongoing assurance effort).  However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort.  Keeping up with security releases is important to help preserve a security-in-depth posture.  Fortunately, Critical Patch Update fixes for most Oracle products are cumulative, and this means that the application of the October 2015 Critical Patch Update will resolve not only the new vulnerabilities reported in today’s advisory, but also all the previously-reported security issues affecting the affected Oracle product versions.

For More Information:

The October 2015 Critical Patch Update advisory is located at http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html 

Pages