Oracle Security had a busy day yesterday. They released two of their Cumulative Patch Updates, one for Java and one for everything else that they patch. The Java CPU contains 19 CVEs with CVSS base score of 10 (the highest you can go) indicating that exploiting the vulnerability is not particularly challenging and could give complete control of compromised systems. For all of these vulnerabilities, the browser is the vector of exploit. For one of those (CVE-2013-1537)some Java server configurations will also be exposed. In total, there are 42 distinct CVEs for Java this quarter, of which 39 are through the Java Web Start plugin and can be remotely exploited without authentication.
Java exploits have publically impacted major forces in the world of technology. Both Facebook and Bit9 have disclosed that they were compromised via Java. Administrators and end users alike have to realize that the common wisdom regarding Java plugin security and precautions will not change with this patch, the next one, or the one after that. Java as a web plugin has a lot of unpatched issues, many of which are found and disclosed to Oracle by responsible researchers who are essentially doing Oracle's Quality Assurance work for free on an ongoing basis. We don't know how many vulnerabilities the “bad guys” are finding though, until they hit the common market in widespread exploits. It's doubtful that skilled and motivated attackers won't find the same things as more ethical researchers. And some may well have more resources available to them to look.
With a browser plugin, pretty much any browser plugin as complex as Java (such as Flash, for instance), you should always assume that some attacker, somewhere has at least one 0day waiting for the right opportunity. Disable Java in the browser unless you have a specific business need to run it. Ideally, only enable it in an alternate browser and restrict use of that browser to the sites where you need Java. If you do need to use it, apply this patch immediately, make sure Java is running at the highest security settings, and ensure that any old versions of Java have been uninstalled.
You can check whether you, or users in your organization, are running the most up to date version for free at http://browserscan.rapid7.com/.
The "everything else" CPU, other than Java, affects Oracle database, MySQL, Solaris, WebLogic, WebCenter, PeopleSoft… no VirtualBox this time. It contains a whopping 128 new CVEs.
MySQL is touched by 25 issues, however the highest scoring are a Denial of Service attack and a couple of partial confidentiality and integrity compromises. Nothing to ignore, but no screaming total remote compromise of the DB or underlying OS.
Oracle Database, 4 issues. CVE-2013-1534 affects RAC configurations. It is a CVSS 10 on Windows, meaning complete compromise of the database and probably the underlying operating system. Risk score is reduced to 7.5 on non-Windows installations. Administrators with servers in this configuration should apply this patch immediately.
Solaris is affected by 18 issues. Nothing is super critical, but should not be ignored either. Patch in next maintenance window.
- Oracle JRockit (part of Fusion Middleware) is affected by a CVSS 10 remote compromise
- Overall, a *lot* of patching, but far fewer screaming concerns than last time. Spend your efforts patching Java first.