Oracle Plugs Java for Drive-by Downloads with October CPU
Massive update covers long list of Oracle software including an update for 29 new security vulnerabilities in Java.
Oracle is out this week with its quarterly Critical Patch Update (CPU) fixing software vulnerabilities across its database, middleware, Siebel, PeopleSoft and Sun product groups.
With the October CPU, Oracle is also providing a Critical Patch Update for Java, as well, which is usually not the norm for Oracle. The timing of both the Java and regular Oracle CPU updates just happened to coincide at the same point this time around.
"Security fixes for Java SE and Java for Business are included in a separate Critical Patch Update because the publication schedule of the Java fixes is not the same as the publication schedule of the Critical Patch Update for other Oracle products," Eric Maurice, manager for security in Oracle's global technology business unit, wrote in a blog post. "These different schedules are due to commitments made to Java customers prior to the Sun acquisition."
As part of the Java update, Oracle is fixing 15 vulnerabilities that are highly critical, carrying a CVSS (Common Vulnerability Scoring System) base score of 10.0. Oracle adopted the CVSS system in 2006 for standardizing the way it rates vulnerability risk. In total there are 29 new Java security vulnerabilities being patched by Oracle in the October update.
"The Java update, which was released today is critical because it fixes vulnerabilities in Java SE and Java for Business that could be used for drive-by-downloads where innocent users are compromised simply by visiting a website," Amol Sarwate, Vulnerabilities lab manager at Qualys told InternetNews.com. "Oracle patches have been big, but with the recent addition of the Sun product line, the CPU is getting even larger and that presents a challenge to system administrators whose are responsible for deployment of patches."
In addition to Java, Oracle is providing 31 patches for other former Sun technologies, including Solaris, OpenSolaris and OpenOffice. With OpenOffice, Oracle is delivering five patches. The timing of the Oracle OpenOffice update is somewhat ironic as a core group of OpenOffice developers have recently forked the project to create the LibreOffice open source office suite.
Oracle's namesake database server is being patched for seven new vulnerabilities, of which only three have been identified as being remotely exploitable without authentication. The database issues carry a CVSS score of only 6.5.
While the overall number of vulnerabilities reported by Oracle is high, it's not out of line with Oracle's past updates. Oracle's July 2010 CPU patched 59 vulnerabilities.
"Irrespective of the number, it is a concern anytime there is a remotely exploitable issue," Sarwate said. "The number of such issues in todays release is on par with previously released CPUs by Oracle. Administrators should prioritize their patching effort by focusing on components that typically have wider exposure and work their way to components that could be protected by firewalls or other mechanisms. But we strongly recommend fixing all such issues."
Follow eSecurityPlanet on Twitter @eSecurityP.