In a Critical Patch Update, Oracle has officially surpassed its previous record of patches that was set last July. Totaling 299, with 162 of the vulnerabilities being remotely exploitable, Oracle admins are now facing a massive task of updating all of these patches in a quick fashion. I say “quick fashion” as Oracle itself states in their CPU announcement that:
“It has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.“
The massive list of 299 vulnerabilities vary in danger, but there are three in particular that deserve special attention. The first and second of these was initially disclosed in a data dump by the hacking collective the Shadow Brokers. Originally a tool/exploit created by the NSA, the Solaris EBBISLAND and EXTREMEPARR vulnerability targets the Solaris 7-10 on x86 and SPARC architectures with the ability for remote privilege escalation. This is according to Amol Sarwate, director of Qualys Vulnerability Labs, who emphatically stated “these are very critical vulnerabilities” due to the ability of exploitation “without authentication or any information about the targeted machine.”
The third prominent vulnerability involves Apache Struts 2. In the CVE report from the Mitre it is stated “the Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 184.108.40.206 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.” This particular vulnerability was used to attempt an upload of Cerber ransomeware, as well as numerous Linux-based DDoS attacks via bots.
As was alluded to in the beginning of this article, many Oracle systems have come under attack and have been successfully breached as a result of not patching disclosed vulnerabilities. I’m going to sound like a broken record here, but it needs repeating as it keeps happening. As much of a pain as patching software like those in the Oracle library can be, it is far worse to be hacked. It is ultimately up to individual organizations to take care of these patches, but with the majority of these exploits being remotely exploitable, it is imperative that black hats not be given easy access to sensitive data.