Urgent Attention Advised As Oracle Issues Another Big Patch

Oracle released 78 security fixes across its database and other products in its portfolio as part of its Critical Patch Update (CPU).

January’s Critical Patch Update contains two fixes for the Oracle Database Server, 11 for Oracle Fusion Middleware, three in Oracle e-Business Suite, one in Oracle Supply Chain, six in Oracle PeopleSoft, eight in Oracle JDEdwards, 17 in Oracle Sun products, three in Oracle Virtualization and 27 in Oracle MySQL, the company said in a CPU advisory. Of the 78 fixes, only 16 were considered critical, or could be remotely exploited without needing a username and password.

Urgent fixes

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company said in the advisory. If IT Manager delay updating their systems with the CPU, it may be possible to “reduce the risk” by blocking network protocols required by the attack or removing privileges to certain packages. However this move may also “break application functionality”, Oracle said.

The vulnerability in the Core RDBMS (CVE-2012-0082) is “probably more severe” than Oracle made it sound in the advisory, Alex Rothacker, director of security research at Application Security’s TeamShatter, told eWEEK.

The flaw, which affects Oracle Database versions 10.1.05 to 11.2.0.3, provides a remote code execution opportunity, but requires a valid account on the database, according to the advisory. However, Oracle hinted at a “significant non-security component” to the patch and directed users to a separate support document  “to determine the urgency and best plan of action for applying the fix”, the company said.

Oracle fixed two vulnerabilities in the Solaris operating system, a denial of service bug and a Kerberos issue. They had the two highest CVSS scores in the entire CPU.

Oracle fixed the issue in the Oracle OpenSSO component of the Oracle Sun Products suite discovered and reported by Travis Emmert, a security researcher at Veracode. The flaw, which can be found in versions 7.1 and 8.0, would allow attackers to run” unauthenticated network attacks via HTTPS”, according to Veracode. If a user clicked on a specially crafted link in a phishing email, the attacker would be able to execute actions within the context of the logged in user’s session, Chris Wysopal, CTO of Veracode, told eWEEK.

The flaw in Oracle WebCenter Content is the “most dangerous network-based vulnerability” fixed in this CPU because it could allow attackers to compromise the confidentiality and integrity of systems, Marcus Carey, security researcher at Rapid7, told eWEEK.

Oracle also patched the denial of service vulnerability in GlassFish Enterprise Server that was disclosed at the Chaos Communication Congress in Germany at the end of December.

Administrators should consider patching systems that are Internet accessible first, such as the issues in Weblogic, Apache and Solaris, according to Wolfgang Kandek, CTO of Qualys. Oracle RDBMS can “probably be addressed last” as databases tend to be installed on an internal network or behind a firewall if they are connected to the Internet, according to Kandek.

The next Critical Patch Update release will be on April 17.