Hello, welcome to the Wednesday, October 17th, 2018 edition of the Sandstone Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from McLean, Virginia. Oracle today

released its quarterly critical patch update, and with that we have patches for over 300 different vulnerabilities. Before you

get excited about the large number of vulnerabilities being addressed, remember this is across

the entire portfolio of different applications released by Oracle, not just the database. However, there is one Java VM-related

flaw in the database that has a CVSS score of 9.8, allowing unauthenticated remote code

execution. In addition, we still have a lot of log for J-related vulnerabilities that are being addressed here.

This has been sort of an ongoing theme over the last few critical patch updates.

The underlying flaw goes back to 2017.

There also have been a number of components like struts and such that Oracle applications rely on

that are being updated with this critical patch update.

So I would say nothing terribly exciting here from Oracle,

but the difficult part usually is to figure out which of these patches do apply to you.

And then we have a real embarrassing vulnerability in Lib SSH,

a library to implement SSH clients and servers.

With SSH typically the client sends an SSH2 message user-auth request in order to start authentication.

With LIPSH, if your server is using the library, all you need to do is send instead an SSH message user-author success message and, well, you are logged in.

So in short, all the client has to do is say,

hey, I'm authenticated and the server will believe you.

Now, lip SSH is actually not used much for SSH servers,

which somewhat limits the impact of this vulnerability.

This is not your default library that's being used

...