Overshadowed by the Duqu madness yesterday, Oracle released a slew of critical updates (please see “Related Links” in the right column of this page). Most interesting, but perhaps with little impact, is the Java SE BEAST update. Oracle claims to have pushed 57 different fixes across their product lines, including patches for Java and their virtualization Sun Ray product. But the hottest thing to talk about, of course, is the patch closing up CVE-2011-3389, or holes in the JSSE.
The BEAST researchers’ demo at Ekoparty Argentina that we posted on last month developed a fresh exploit to crack SSL/TLS sessions with a technique described almost a decade ago. The trick is always in the implementation, not the discussion, so it was impressive work that left the major software vendors with some heavy work. That list of vendors included Oracle, because the exploit developed for the demo abused vulnerabilities in Java code (the researchers claimed that vulnerabilities exist in Microsoft’s Silverlight and Javascript code too, they just didn’t deliver the exploit in those forms. Unfortunately, Silverlight BEAST exploit code is publicly available). The exploit almost turned into more of a disaster when Mozilla considered blocking all Java add-on use from their browsers: “We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so.” So, it is somewhat surprising that Oracle rated this fix low within their risk matrix with a “Base Score” of 4.3 (on a scale of 1-10, with 10 being the most risk).
Meanwhile, Oracle gives six different Java patches a base score on their risk matrix of “10”, with four of those highest risk level patches impacting the recently released Java 7. They impact logic within the JRE itself, AWT, Deserialization, and Scripting components within the JRE.
I’ve seen Oracle’s virtualization product “Sun Ray” adopted in a variety of corporate cloud situations, and cloud admin should be aware that the platform is impacted with a fix for CVE-2011-3538 and related authentication issues.
Oracle Critical Patch Update October 2011