On Wednesday, Oracle released a sizeable security update, fixing 87 vulnerabilities spanning a number of products, including 24 for the Oracle Sun product suite.
The most critical of the vulnerabilities impacts the Oracle JRockit Java Virtual Machine (CVE-2012-3135), and has an importance base score of 10.0 — the highest possible rating. From an exploitation standpoint, a 10.0 score is a “perfect storm,” explained Rapid7 Security Researcher Marcus Carey, because it can be accessed remotely, has low complexity and can result in a complete compromise of the vulnerable software.
Besides the two-dozen bugs tied to the Sun product suite, the update includes 22 security fixes for Oracle Fusion Middleware; a security fix for Oracle Hyperion; nine for Oracle PeopleSoft products; seven for Oracle Siebel CRM; one for Oracle Industry Applications; six for MySQL; four for the Oracle E-Business suite; one for Oracle Enterprise Manager Grid Control; five for the Oracle Supply Chain product suite; four for the Oracle Database Server; a fix for Oracle Application Express Listener and two for Oracle Secure Backup Apache Component.
“Enterprises should be able to understand the cadence and predictability of Oracle’s CPU Advisories so that they can build countermeasures into their security programs to tackle network-based vulnerabilities,” Carey told eWEEK, adding that “these types of high-impact network-based vulnerabilities exist whether they are known or not.”
“Some common-sense network security concepts such as network access control list can mitigate the risk of Internet-based attacks. Organisations should also use these types of controls internally to prevent exploitation from internal assets, which at times could be under the control of attackers,” Carey continued.
“In order to do this, organisations need to understand how each product communicates on the network by protocol and ports to create the relevant network-based security controls. Simply put, network access to sensitive assets such as the Oracle products, should be on a ‘need-to-access’ type basis.”
Along those lines, Sophos Senior Security Advisor Chester Wisniewski noted that many of the bugs fixed in the update are quite old, and Oracle does not mention whether the flaws were disclosed responsibly or not. For that reason, it is prudent to treat all the patches as high risk, he blogged.
In January, experts accused Oracle of downplaying the severity of some database security flaws. And in May, the company finally offered workarounds for a critical vulnerability affecting its database products, discovered four years earlier.
How well do you know Internet security? Try our quiz and find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…