Since 2005, Oracle has released a collection of security fixes for their products on every Tuesday closest to the 17th day of January, April, July, and October. These fixes, known as a Critical Patch Update (CPU), are typically cumulative and address security vulnerabilities associated with Oracle products. April’s update, with fixes for 299 vulnerabilities across Oracle's, was its largest CPU to date.
Via Oracle: "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes."
Oracle, the database and cloud computing giant, sees its software used for vital operations by most of the Fortune 500. Their Java-based open source software is used in mission-critical environments across the globe and on more than 15 billion devices.
April’s CPU contained patches for core components of Java products, many of them linked to commonly used third-party software that is standard among large financial services firms, healthcare providers, and transportation companies. These sectors are constantly under attack from malicious hackers, making it all the more important to apply the most recent security patches as soon possible – a task that can take even the most sophisticated organization months or longer to complete.
For organizations that need to constantly monitor and eventually update software, time is of the essence. The same can be said of the cyber criminals looking to exploit faults in the system. Some organizations move faster than others in applying the patches (for many reasons) and hackers can use this window of time to consult Oracle’s public CPU, using it as a roadmap to attack firms.
You don’t have to be a news junkie to be cognizant of the ever-present threat of cyber attacks and the necessity for vigilant security. Cyber attacks are on the uptick and cybersecurity teams are struggling to keep up by remedying software flaws and responding to potential threats.
With the latest Oracle patch release, we have one of the largest software vendors in the world, with expert security resources and dedicated testing and remediation teams, belatedly discovering and responding to the presence of major, known-vulnerable components buried deep in the software stacks of their core software platforms.
To put things in perspective, Oracle finds a new flaw in their products every 100 hours. Some of the flaws included in the most recent CPU date back to 2012. (To be fair, every software developer releases the equivalent of the Oracle CPU, but Oracle’s market share makes it the bellwether of the entire industry.)
That’s five years of an open, unpatched vulnerability. Among the others are over 30 Java-related Common Vulnerabilities and Exposures (CVEs), eight of which directly affect the core Java platform. Nearly 70 percent of the Java-related CVEs are remotely exploitable without authentication.
Addressing years-old vulnerabilities in current patches is proof that we are nearing a crisis point where our ability to respond in a timely and effective manner is at risk. We continue to rely primarily on traditional approaches that can’t keep up with the pace and volume of vulnerabilities. That is not a sustainable model.
The reason this should mean so much to so many organizations is the fact that third-party software is ubiquitous. In a recent report on more than a thousand commercial web applications, 96 percent included third-party code. Of that, 67 percent had known vulnerabilities with 52 percent being high severity vulnerabilities.
Open source components are not automatically or routinely patched. The challenge is keeping up with vulnerabilities that must be frequently patched. Unlike software from major developers where patches are sent on a schedule, open source code in libraries and central repositories normally require a user to seek a patch or develop their own.
Fortunately, proven technology exists to help address the massive scope of these security updates. Many companies offer solutions that approach application monitoring in a new way, and protection using a secure virtual container in server and cloud environments. Third party options offer approaches that behave like a patch without making code changes or affecting runtime speed, blocking attacks because it operates more deeply in the software, monitoring network packets, files system calls and CPU instructions.
Companies that use application security controls effectively reduce the cost of cyber crime. According to a recent Ponemon Institute study, companies that deployed between eight and nine application controls saved almost $2 million on total cyber crime costs. If only one to three controls were used, the costs increased by an average of $2 million.
Building security into application and data protection in addition to a layered approach with multiple tools can reduce the risk. Dynamic testing, static testing, and run-time application self-protection were also shown to reduce costs and support innovation in the Ponemon study.
The April CPU showed the scale of the challenge that the information technology industry faces in securing modern modular enterprise applications which are composed of dozens or sometimes hundreds of third-party libraries and modules. If a best-of-breed software vendor like Oracle struggles to account for and secure their third-party library dependencies in a major software platform like Oracle Fusion, then how can an “ordinary” enterprise, which is not a sophisticated IT vendor, be expected to do any better?
The fact that we’re still addressing vulnerabilities associated with Struts v1 and Apache Commons years after the issues were first raised is surprising and troubling. The Struts 2 patch is less surprising because it was first announced in March 2017, but still no less troubling as it points to the continuing issues associated with third-party software components.
The pace of the discovery of software composition vulnerabilities is accelerating quarter-by-quarter and year-by-year. As a result, the IT profession faces an impending crisis point if it does not rapidly begin adopting and embracing automated remediation solutions to detect and block software composition vulnerabilities at runtime in any application, at any layer of the software stack, without human intervention or manual testing.
The most recent CPU was released in April and the next is set to be released this month. An average of 10 new open source flaws is reported each day. But, the ability to find these problems isn’t the issue. It’s fixing them. Oracle's security team is doing the best it can, but like all cybersecurity teams, they struggle to keep up with the wave after wave of vulnerabilities that are being discovered.
Every effective cybersecurity approach developed over the past two decades is fully integrated into the way businesses protect themselves today. The massive scale of vulnerabilities and ubiquity of software flaws, though, means that the measures we’ve relied upon 20-plus years are now unable to provide the level of protection required going forward. Diligent system maintenance, consistent patching, and both automated and manual third-party security solutions are all necessary for end-users to be fully protected.
About the Author:
John Matthew Holt is the founder and CTO of Waratek, an application security company. A JVM/JIT compiler engineer, Holt is a recognized expert in Java, virtualization and application security. He has also been an expert speaker at a number of Java technical events including Red Hat Summit, JavaOne, VMworld, Oracle OpenWorld, Jax London, NY Java SIG, and Docklands London Java Community.
