A couple of days ago Oracle put out its quarterly Critical Patch Update advisory,which this time around provided fixes for 78 vulnerabilities. This probably sounds like a lot, but bear in mind that Oracle only issues these advisories on a quarterly basis, so in fact this number is approximately in line with previous 3 quarters. Here’s the breakdown:
- October 2010 - 85
- January 2011 – 66
- April 2011 - 73
- July 2011 - 78
Obviously this approach means security professionals working with Oracle applications are going to get a heap of extra work when it comes to patching vulnerabilities during January, April, July, and October. Managing this increased workload makes it essential to prioritize patching based on criticality. It is important to understand that all vulnerabilities are not equal, and focus on the ones that represent the greatest threat to your environment.
So which ones are the main priorities? Well in my opinion there are seven “deadly” vulnerabilities that require immediate attention. These are CVE-2011-0873, CVE-2011-2239, CVE-2011-2253, CVE-2011-2261, CVE-2011-2285, CVE-2011-2288, and CVE-2011-2305.
I refer to these as “deadly” because they are “game over” type vulnerabilities, meaning any one of these seven would result in the complete compromise of a system. An attacker exploiting these vulnerabilities would be able to do anything they want to the compromised systems, giving them the most bang-for-buck so to speak, so these are going to be the main focus for most attackers.
Of these seven, the worst three are CVE-2011-0873, CVE-2011-2261 and CVE-2011-2288 as they are remotely exploitable with a low complexity to launch a successful attack. These big three do not require credentials to exploit. These are the type of attacks that are probably already being exploited in the wild. CVE-2011-0873 can be exploited via HTTP; CVE-2011-2261 can be exploit via multiple protocols, and CVE-2011-2288 can be exploited by SSH. Organizations can expect to see publicly available exploits on the big three soon.
CVE-2011-2239 and CVE-2011-2253 are also remotely exploitable (network-based), but are considered more complex attack vectors.CVE-2011-2285 and CVE-2011-2305 are local attack vectors that could be mitigated by restricting physical access to the servers.
In regards to the remotely exploitable network-based vulnerabilities, organizations should ensure that they have correctly deployed network-based counter-measures such as firewalls, VLANs, and the appropriate network access control lists. This is important because some organizations can't patch immediately due to myriad reasons. Many of these vulnerabilities don't require credentials to exploit. Typically organizations should restrict external access to resources such as databases. Unfortunately,if you scan organizations, you’ll find Oracle and other database-related services wide open to Internet attack vectors.
There are also 21 HTTP-based vulnerabilities in this bunch that are unauthenticated access vulnerabilities. Of course HTTP is the language of the World Wide Web, so these vulnerabilities will be remotely discoverable and exploitable. There are also five SSH-related vulnerabilities that have the potential for remote exploitation. It seems that the SSH-related vulnerabilities are related to Oracle’s Sun operating systems and hardware.
Overall I counted 32 network-based vulnerabilities that don't require authentication.
If you have any question, post them in thecomments section and we’ll try to help.