Better go make a fresh pot of coffee and pull up a seat: Oracle’s put out a bonanza of a patch dump, offering 253 fixes for 76 products.
Of those, 15 are critical, with a Common Vulnerability Scoring System (CVSS) score of 9.0 or over. Some allow complete system compromise over HTTP.
In its short-form advisory, Oracle also passed on a “please will you fix these things immediately” message, saying that it’s seeing successful attacks on systems that customers didn’t get around to patching.
It’s serious about this. Italics and bold formatting provided courtesy of Oracle:
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
The fixes apply to Oracle Database Server, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.
According to Oracle’s more verbose drill-down, the worst of the worst bugs make it possible to compromise Oracle Big Data Discovery, Oracle Web Services, Oracle Commerce or WebLogic over HTTP.
As far as Java goes, February ushered in Oracle’s welcome and overdue killing off of its notoriously insecure Java browser plug-in, but of course death in the browser didn’t kill Java everywhere.
Hence, the current bug crop includes fixes for serious Java vulnerabilities.
Two of them allow “unauthenticated attacker with network access via multiple protocols to compromise Java SE.”
Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.
Oracle Database Server
One of the critical bugs, rated 9.1, hints at a vulnerability in the OJVM component of Oracle Database Server, including versions 22.214.171.124 and 126.96.36.199. Oracle says this “easily exploitable vulnerability” allows an attacker with a high level of privileges to Create Session and to Create Procedure privilege with network access via multiple protocols to compromise OJVM.
An attack can spread from there:
While the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM.
Oracle Fusion Middleware
Another critical bug – it’s rated 9.8 – can lead to an attacker taking over Oracle Big Data Discovery analytics piece of Oracle’s Fusion Middleware, in the Data Processing subcomponent. The affected versions are 1.1.1, 1.1.3 and 1.2.0.
This one comes over HTTP and is also “easily exploitable”. It gives unauthenticated attackers to come in via HTTP to compromise Oracle Big Data Discovery or take it over completely.
Fusion has plenty of other headaches: another 9.8-rated, easily exploited and critical bug is in the Oracle WebLogic Server component, in versions 10.3.6.0, 188.8.131.52 and 184.108.40.206. That one will let unauthenticated attackers come in over HTTP to compromise or hijack Oracle WebLogic Server.
Like your virtual desktops? Another bug, rated 8.2, affects the Sun Ray thin client.
It’s easily exploitable, and unauthenticated attackers with network access via SSL/TLS can mess with the Sun Ray operating system to cause those desktops to hang. It can also allow attackers to inflict a repeated Denial of Service (DoS) on them.
Other Oracle products affected by this update include PeopleSoft Enterprise PeopleTools, JD Edwards EnterpriseOne Tools, and, well, a whole lot more.