April’s Vulnerability Fujiwhara Has Passed, But July’s Is Yet To Come
April 21, 2020 • RBS
On April 14th, security teams were hit by the latest Vulnerability Fujiwhara Effect, which is the name we’re giving to the events when the disclosure schedules for multiple significant vendors collide. In the storm we saw Microsoft, Oracle, Adobe, SAP, Siemens, Schneider Electric, Broadcom, IBM, McAfee, Xen, Lenovo, VMware, and Intel collectively release a staggering amount of vulnerability disclosures and patches for previously disclosed issues. As we stated previously, the hours required for IT security teams to collect, analyze, triage, and then address these vulnerabilities will be considerable.
A Projected Forecast of 300 – 500+
January’s Vulnerability Fujiwhara saw a total of 325 new vulnerabilities, which we used as a benchmark to predict the number of vulnerabilities for April’s event. Based on the work of our VulnDB team, who closely monitor vulnerability disclosure trends, we advised a potential of 500 or more new vulnerabilities during our recent webinar Vulnerability Management In the Time of a Pandemic.
So, what was the total for the latest storm? Overall, April’s Vulnerability Fujiwhara affected close to 600 vulnerabilities. After our research team assessed each one, a total of 465 new vulnerabilities were published on that day. That number may still slightly rise, as our team continues to process entries from additional sources, typically in software that doesn’t enjoy a high distribution.
The average number of newly published vulnerabilities in a day this year is 66, so processing 465 in a single day is a tremendous undertaking. This is especially true during a period when some organizations have shed IT staff in the face of economic disruption, and many are working remotely or dealing with disrupted business processes.
Takeaways from April’s Fujiwhara Effect
Here are some noticeable takeaways we saw during April’s Vulnerability Fujiwhara Effect:
- There were three Microsoft fixes for 0days being exploited in the wild
- There were 101 vulnerabilities disclosed that had a CVSSv2 rating of 7.0 – 10.0
- If your organization prefers CVSSv3 (good luck), 243 vulnerabilities were disclosed that had a CVSSv3 rating of 7.0 – 10.0
- Disclosures from six prominent vendors spanned over 12 hours
Aside from Intel, most of the vendors we listed as ‘possibly’ disclosing did not release. However, as though to make up for this, SAP’s vulnerability disclosure was larger than usual.
For organizations relying solely on CVE and NVD, be aware that at time of publication, NVD is missing CVSS scoring and Common Platform Enumeration (CPE) details for several Microsoft vulnerabilities. Even worse? At the time of publication of this blog, they are still missing. This will unfortunately hamper assessment and remediation efforts for organizations dependent on that information.
Pay Close Attention to Oracle
The bulk of the vulnerabilities disclosed during this month’s Patch Tuesday came from Oracle. According to Dark Reading, Oracle accounted for “70% of the patch load, addressing 405 new security vulnerabilities” (based on CVE identifiers). However, to be more precise, out of those 405 fixes, only 230 of the vulnerabilities were newly disclosed. The remainder of the 175 patched vulnerabilities had been disclosed previously, meaning that for these vulnerabilities, organizations have been vulnerable to known flaws for some period of time.
How long exactly? The answer is over a period of up to six years. Oracle spread out their disclosures in four different advisories:
- Oracle Critical Patches – 264 new vulnerabilities in Oracle’s own code, with the oldest vulnerability patched originating from 2015. 203 previously disclosed vulnerabilities in third-party code used within the Oracle suite of software, with the oldest vulnerability patched originating from 2014.
- Solaris Third Party Bulletin – Zero new vulnerabilities in Solaris itself. 16 previously disclosed vulnerabilities in third-party libraries going back to Marchh, 2019.
- Oracle Linux – Zero new vulnerabilities disclosed. 210 previously disclosed vulnerabilities, with the oldest vulnerability patched originating from 2014. Interesting to note that four of the 30 kernel vulnerabilities are attributed directly to issues in “Unbreakable Enterprise Kernel”, but all four are actually vulnerabilities in the upstream Linux Kernel.
- VM Server – Zero new vulnerabilities, but three previously disclosed issues all from this year.
Is This in the Customer’s Best Interest?
600 vulnerabilities and patches in a single day, with 465 of those being new vulnerabilities, is an incredible amount. This raises questions we at Risk Based Security have been asking for a long time; is it even possible to address so many patches at once? If so, how long does it take? Even if vendors truly do have their customer’s best interest in mind, at what point does it simply become too much?
Many vendors have adopted Microsoft’s Patch Tuesday as their own, which is now an established norm. We reached out to some of these vendors and had discussions on this topic. In the end, their stance is that by releasing everything at once this allows customers to plan ahead and address everything at once. What they don’t account for is when many of them do it at the same time.
Vendors Don’t Make It Easy
Organizations need to be able to prioritize effectively so that they can mitigate risks that will have a higher impact on them. While there is an advantage in having vendors disclose at known intervals, if nothing is done to prevent massive clashing, focusing on select vendor disclosures like Microsoft, Adobe, and Oracle becomes infeasible.
What ends up happening instead is an overload of information that needs to be assessed. The sheer size of the workload, and the manner in which it is shared, may cause key vulnerabilities to be lost in the process. For many of these Patch Tuesday disclosures, organizations cannot rely on a single advisory. While our research team is prepared and equipped to quickly sift through numerous advisories , many organizations are not.
How Did Your Organization Handle April’s Storm?
April’s Vulnerability Fujiwhara dumped 465 new vulnerability disclosures on already overworked IT security teams. If your organization is struggling with assessing and triaging the results of this Patch Tuesday, please don’t hesitate to reach out.
If you’re curious to see how your organization would benefit from the most comprehensive vulnerability intelligence solution, we are offering trial access to our flagship VulnDB product.