Waratek Offers Guidance on Oracle's Critical Patch Update for October 2017
Speed to Patch Takes on New Urgency in Wake of Equifax, KRACK and ROCA
DUBLIN and ATLANTA, Oct. 18, 2017 /PRNewswire/ --Waratek, the virtualization-based application security company, has issued guidance on Oracle's latest Critical Patch Update (CPU) for October 2017, which was released on October 17, 2017. Of note, more than 90% of the flaws impacting widely-used Java software can be exploited remotely without requiring credentials to launch a successful attack.
The October 2017 Oracle Critical Patch Update addresses 250 new security vulnerabilities across hundreds of Oracle products, including the company's widely used Oracle Database Server and Java SE.
The CPU includes:
- Fixes for the Java Virtual Machine and five other vulnerable components within the Oracle Database Server, the most severe of which carries a CVSS Base Score of 8.8. Two of the flaws may be exploited remotely without credentials.
- New security fixes for 22 vulnerabilities in multiple versions of Java SE, twenty of which are remotely exploitable without authentication. The most severe of the vulnerabilities in Java SE has a CVSS Base Score of 9.6.
- The first fixes for Java SE 9 are included in this release along with optional JCE Unlimited Strength Policy Files that are standard in Java 9 that add unrestricted cryptographic strengths for Java versions 6 through 8. This will allow applications to use strong cryptographic algorithms such as AES with 256-bit keys.
"Since the July 2017 Oracle CPU, the world has been rocked by Equifax, KRACK and ROCA, giving new urgency to quickly patching these emerging vulnerabilities," said Apostolos Giannakidis, security architect at Waratek. "While smaller than recent CPUs, there are very important updates included in this critical patch such as patches that fix the serialization flaws. And, even though it is always important pay attention to configuration issues, this CPU is not backwards compatible for specific cryptographic classes. If security teams are not mindful, applying the CPU risks breaking the application."
Analysis
In the past 45 days, security teams have been inundated with routine and emergency security patches that provide a vivid reminder of how important it is to keep pace with vulnerability patches, the difficulty of timely patching and the disastrous consequences of failing to do so. Just prior to the failure-to-patch-related Equifax breach, an independent researcher released details of an easily exploitable Apache Struts flaw included in every version of Struts since 2008.
IBM and Oracle also released out-of-cycle patches based on flaws that were so serious they could not wait for regular patch updates. And, just one day before the release of this Oracle CPU, two new widespread vulnerabilities – KRACK and ROCA – requiring immediate patching were announced by US CERT and by users of flawed Infineon chips, including Microsoft, Google, Lenovo, HP and Fujitsu.
With each new in- and out-of-cycle patch comes the same recommendation that the "fixes contained in this Security Alert be applied without delay." That often means days, weeks or months – if at all – before a patch can be fully deployed across an enterprise. In reality, it is all but impossible to maintain a posture of fixing every software flaw with a physical patch.
The new Oracle CPU contains fixes for 22 vulnerabilities. More than 90% of the fixed vulnerabilities can be exploited remotely without authentication. Around 60% of them can allow attackers to perform remote Denial of Service and, therefore, severely impact service availability. More alarming is the fact that more than 72% of the vulnerabilities can be easily exploited since their attack complexity is low. Lastly, there is no surprise that there are 4 new identified deserialization vulnerabilities fixed in the Java Virtual Machine.
Recommended Actions
Waratek actively protects against the 2013 OWASP Top Ten as well as CVEs that allow attackers to perform arbitrary Remote Command Execution (RCE) and deserialization attacks. Customers should apply the virtual patches provided by Waratek to receive immediate protection without restarting their applications. Waratek's Virtual Critical Patch Updates are code equivalent to the physical patches offered by Oracle.
Non-customers should apply the appropriate binary CPU as quickly as possible as more than 90% of the CVEs impacting Java users addressed in the October 2017 CPU can be remotely exploited without credentials. Applying the physical CPU requires binary changes which increases the risk of incompatibilities and unexpected functionality failures. Therefore, organizations are advised to apply the CPU in QA and UAT environments before deploying it into production.
Additionally, the physical CPU requires applications to be restarted. If SLAs are important for organizations, then proper planning must be carried out to achieve the upgrade in a timely and orchestrated manner.
About Waratek
Waratek is a pioneer in the next generation of application security solutions. Based on patented virtualization technology, Waratek's Application Security Platform is highly accurate, easy to install, simple to operate and does not slow application performance – while providing protection against known and unknown vulnerabilities in current and legacy software in ways competitors cannot.
Waratek has received the 2017 CDM INFOSEC Leader Award for Application Security, was named 2016's Best Application Security Solution by Government Security News and is the winner of the 2015 RSA Innovation Sandbox Award. JavaWorld notes that "Waratek is the only vendor that can boast of a large-scale production deployment with a Tier 1 global investment bank, the most significant deployment of (runtime protection) that exists for Java technology today."
Waratek is based in Dublin, Ireland and Atlanta, GA. For more information visit www.waratek.com
Media Contact:
Mike Gallo for Waratek
Lumina PR
212-239-8594
[email protected]
SOURCE Waratek
Related Links
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article