April Patch Tuesday Round-Up – Oracle Quarterly CPU Commentary

java_logo

Patch Tuesday continued!  Today Oracle released their quarterly Critical Patch Update.  This is the day that Oracle product updates all come together.  Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, and several other products.  Oh, and Java, we don’t want to forget Java.

Across all updates it looks like 121 CVE’s were resolved in total, the oldest of which dates back to 2011 (CVE-2011-4461).  Seven of these vulnerabilities rate a 10.0 CVSS, which is the highest base score rating on the CVSSv2 scale.

There are a few indicators that can help you prioritize what updates you should worry about first. Exploit code examples being available in Metasploit is an easy one.  If it is in Metasploit, it is also in the threat actor’s hands.  Beyond that things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.  If you look at Verizon’s 2015 Data Breach Investigation Report, the CVSS data provides a profile for vulnerabilities more likely to be exploited.  If you have not already read this year’s report, check out the vulnerabilities section.  I did a write-up on the Java Out-of-Band release that came out on March 24th.  The Verizon report shows a progression of all vulnerabilities, vulnerabilities exploited, and vulnerabilities exploited under one month from publication.  Using the pattern for those exploited in less than a month 7 out of 7 of the CVSS 10.0 vulnerabilities fit the pattern.

Based on that, I would recommend the following priorities be added to your April Patch Tuesday activities.  Java SE (4 of 7), MySQL (2 of 7), Sun Systems Products Suite (1 of 7) should be updated in this update cycle.  I know many of you are already a week in, but these are the ones that stand a higher chance of being exploited before your next monthly patch cycle.

Happy Patching Everyone!