Oracle fixes Solaris 10 flaw targeted by leaked NSA exploit
Oracle has pushed out a record-breaking 299 fixes for vulnerabilities in its many, many products, and among them is a Solaris 10 bug whose existence has been revealed through Shadow Brokers’ latest data dump.
The Oracle Critical Patch Update for April 2017, detailed in this advisory, addresses vulnerabilities in Oracle Database Server, Fusion Middleware, PeopleSoft Enterprise, Financial Services Applications, MySQL Product Suite, Java, and many other offerings.
“The patch update contains 40 vulnerabilities assessed critical (CVSS base score 9.0-10.0), including 25 rated 10.0,” ERPScan researchers have noted.
Among these is CVE-2017-3623, the Solaris kernel RPC vulnerability that is targeted in the EBBISLAND (aka EBBSHAVE) exploit purportedly created by the NSA, and which has been leaked last Friday.
As explained by Oracle: “Solaris 10 systems which have had any Kernel patch installed after, or updated via patching tools since 2012-01-26 are not impacted. Also, any Solaris 10 system installed with Solaris 10 1/13 (Solaris 10 Update 11) are not vulnerable. Solaris 11 is not impacted by this issue.” Older, unsupported versions of the OS won’t be receiving a patch.
Solaris 11 is also not vulnerable to NSA’s EXTREMEPARR tool, also leaked on Friday, which takes advantage of a local privilege escalation hole in the Common Desktop Environment on Solaris (CVE-2017-3622).
CVE-2017-5638, a critical vulnerability in the Apache Struts framework, which is included in many of Oracle’s products, has also been plugged.
But if you thing that the vulnerabilities with a less high rating do not present a significant risk to security, you’re wrong.
“For example, a remotely exploitable vulnerability in Oracle E-Business Suite rated 9.1 (the main business applications from the vendor) allows an attacker to read all key business data from the database without authorization,” ERPScan researchers pointed out.
Finally, the Java updates plug eight vulnerabilities, seven of which may be remotely exploitable without authentication. All of them are affect client deployments of Java (i.e. individual end-users who still have it installed).
The next Oracle Critical Patch Update is scheduled for July 18, 2017.