Next up: Oracle’s latest quarterly “CPU” patch batch. And it’s utterly ginormous.
Not only are there hundreds of separate bugs squashed, but many of them are extremely serious. Of the 334 CVEs fixed, 191 are remotely exploitable, sans credentials.
And you thought Patch Tuesday was bad? In today’s SB Blogwatch, we don our leisure suits.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: GSTQ.
What’s the craic? Tara Seals barks—“Oracle Ties Previous All-Time Patch High”:
Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). … 43 are critical/severe flaws carrying CVSS scores of 9.1 and above.
The updates include fixes for Oracle’s most widely deployed products. … “Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible.”
Thanks, Captain Obvious. Shaun Nichols adds—“Thought Patch Tuesday was big? Oracle says ‘hold my Java’”:
Oracle has released a sweeping set of security patches across the breadth of its software line. … Delivered one day after Microsoft, Intel, Adobe, and others dropped their scheduled monthly patches, [it] addresses a total of 334 security vulnerabilities across 93 different products.
For Oracle’s flagship Database Server, the update includes an even dozen patches. Three of those are remotely exploitable without authorization. … Some of the highest severity flaws were found in Oracle’s communications apps, where 23 of the 25 CVE-listed bugs were said to be remotely exploitable without the need for any authentication. … Fusion Middleware was host to 38 CVE-listed bugs, 30 remotely exploitable, and three … that were assigned CVSS scores of 9.8 out of 10. In other words – patch them now.
Solaris was the recipient of 10 patches … two of those were found to be remotely exploitable. The Sun ZFS Storage Appliance Kit was host to a particularly nasty RCE flaw. … Also of note was … an elevation of privilege flaw in the Solaris 10 Common Desktop Environment, which was discovered by Marco Ivaldi. [He] describes the flaw as a “cute straight-out-of-the-manual memory corruption” issue, and suggested a number of similar bugs are likely to exist.
tl;dr? John E. Dunn—“Oracle’s January 2020 update”:
As the world’s second-largest software company, Oracle has become an organisation built on big numbers. This includes the number of security patches it issues.
The sheer number of vulnerabilities and the complex dependencies between them can make understanding Oracle’s update page a chore. … Something that jumps out is that 60 individuals and companies are credited with reporting January’s batch of flaws to Oracle, including … Alexander Kornbrust, credited with 41 CVEs on his own.
And here’s what caught Liam Tung’s eye—“Flaws that can be remotely exploited without credentials”:
Two bugs affecting Oracle Human Resources have a severity rating of 9.9 out of 10. … An additional 31 flaws have severity rating of 9.8 affecting Oracle WebLogic Server, Oracle Communications Instant Messaging Server, Enterprise Manager Ops Center, Oracle Application Testing Suite, Hyperion Planning, and JD Edwards Enterprise One Orchestrator.
Oracle’s Java SE also got a dozen fixes … all of them address bugs that can be remotely exploited without user credentials. … Across all products, there are 191 flaws that can be exploited remotely without authentication.
Oracle’s next CPU is scheduled for 14 July, followed by a final 2020 patch update on 20 October.
Yikes. Geordie Coates counts the highlights:
E-Business Suite … Highest score is 9.9 – critical
Hyperion … Highest score is 9.8 – critical
Enterprise Manager/Cloud Control … Highest score is 9.8 – critical
Fusion Middleware … Highest score of 9.8 – critical.
Wow. Lawrence Cruciana—@lcruciana—is scared:
This patch cycle is like something out of a bad 80s horror movie. You know what’s coming but you just have to keep on watching.
It’s like the bad news didn’t stop this month with [Windows,] Oracle, VMware, and **itrix.
But deviated_prevert is less forgiving:
Oracle’s efforts to clean things up are academic if OpenJDK is left out of the equation. Java will suffer if there are impediments thrown up to block the developers.
Open source Java is crucial, and if Dear Larry does not get this then more developers will turn completely away from the platform. It would be sadly ironic if Oracle turns out to be the final nail in the coffin of “write once, run everywhere.”
Thank heavens that HTML5 itself and other alternatives are finally starting to catch up to the role that Java once played.
So installing everything will keep me safe? @pyn3rd warns a warning:
Please take care of your Weblogic Server, cause the Oracle Critical Patch is only released for 184.108.40.206, other versions are unprotected until Jan. 31.
Meanwhile, IT pawn redpawn simply had to say it:
Job security strikes again. Thank you Oracle!
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.