This month’s Patch Tuesday Round-Up is more of a continuation of Patch Tuesday. If you are not aware already, there was an Oracle quarterly Critical Patch Update yesterday. This means that a boat load of Oracle products now need updates. Pardon the image above, I hacked a last minute Java bulletin into it. Don’t let the one bulletin fool you though, there are still 25 vulnerabilities being resolved in that single bulletin. Read on for details.
Oracle released its quarterly CPU this Tuesday. There are a total of 154 vulnerabilities being addressed across all Oracle products being updated. This is 29 more vulnerabilities than are addressed in October Microsoft’s Patch Tuesday release and the updates from Adobe and Google combined. It can be difficult to sift through this much security data to prioritize what needs the most attention, but there are a few things you can use to narrow the priorities:
First, pay attention to the vulnerabilities that are remotely exploitable. This means the vulnerabilities can be exploited across a network without authentication. With this in mind, Java SE and Middleware should ride to the top of you priority list. Java has 25 vulnerabilities being resolved, 24 of which are remotely exploitable. Middleware has 23 total vulnerabilities, 16 of which are remotely exploitable.
Next pay attention to CVSS, as it can be a good indicator. However, keep in mind that in 2014 of all CVEs observed that are being exploited, 97 percent of those exploits were across only 10 CVEs, and many were more than 10 years old and with CVSS scores lower than 7.0. — and some were less than 5.0. For this reason, you may also want to factor in access complexity, as a low complexity score indicates a vulnerability that will be easier to exploit. Middleware has a few CVSS with a score of 7.5 which are also low complexity. Java has seven vulnerabilities scoring 10.0 CVSS and all of those are low complexity. These should be top priorities.
Other indicators can be helpful in prioritizing further, but this is a quick assessment to get people started.