Oracle Remedies 87 Security Flaws

Includes a fix for a dangerous vulnerability rated 10 out of 10

On Wednesday, Oracle released a sizeable security update, fixing 87 vulnerabilities spanning a number of products, including 24 for the Oracle Sun product suite.

The most critical of the vulnerabilities impacts the Oracle JRockit Java Virtual Machine (CVE-2012-3135), and has an importance base score of 10.0 — the highest possible rating. From an exploitation standpoint, a 10.0 score is a “perfect storm,” explained Rapid7 Security Researcher Marcus Carey, because it can be accessed remotely, has low complexity and can result in a complete compromise of the vulnerable software.

Patchwork

Besides the two-dozen bugs tied to the Sun product suite, the update includes 22 security fixes for Oracle Fusion Middleware; a security fix for Oracle Hyperion; nine for Oracle PeopleSoft products; seven for Oracle Siebel CRM; one for Oracle Industry Applications; six for MySQL; four for the Oracle E-Business suite; one for Oracle Enterprise Manager Grid Control; five for the Oracle Supply Chain product suite; four for the Oracle Database Server; a fix for Oracle Application Express Listener and two for Oracle Secure Backup Apache Component.

Vulnerabilities CVE-2012-1740, which impacts Oracle Application Express Listener, and CVE-2012-3192, which affects the Oracle Secure Backup Apache component, are rated 7.8 — the second-highest rating of this month’s update. Both vulnerabilities can be exploited remotely without authentication, informs Oracle.

“Enterprises should be able to understand the cadence and predictability of Oracle’s CPU Advisories so that they can build countermeasures into their security programs to tackle network-based vulnerabilities,” Carey told eWEEK, adding that “these types of high-impact network-based vulnerabilities exist whether they are known or not.”

“Some common-sense network security concepts such as network access control list can mitigate the risk of Internet-based attacks. Organisations should also use these types of controls internally to prevent exploitation from internal assets, which at times could be under the control of attackers,”  Carey continued.

“In order to do this, organisations need to understand how each product communicates on the network by protocol and ports to create the relevant network-based security controls. Simply put, network access to sensitive assets such as the Oracle products, should be on a ‘need-to-access’ type basis.”

Along those lines, Sophos Senior Security Advisor Chester Wisniewski noted that many of the bugs fixed in the update are quite old, and Oracle does not mention whether the flaws were disclosed responsibly or not. For that reason, it is prudent to treat all the patches as high risk, he blogged.

In January, experts accused Oracle of downplaying the severity of some database security flaws. And in May, the company finally offered workarounds for a critical vulnerability affecting its database products, discovered four years earlier.

How well do you know Internet security? Try our quiz and find out!