Oracle Fixes 88 Vulnerabilities

Thursday, April 19, 2012 @ 05:04 PM gHale

Oracle released 88 security patches as part of its scheduled April Critical Patch Update (CPU), ten more than on its last patch day in January.

One of the patches affects a series of vulnerabilities in the Java JRockit VM with a CVSS Base Score of 10.0 – this is the highest possible level of vulnerability in the Common Vulnerability Scoring System.

Oracle Flaw PoC Releases by Mistake
Yet Another Java Exploit
Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?

Oracle also closed holes with a CVSS score of 9.0 in Grid Engine and the Windows version of the database component Spatial (in non-Windows versions the vulnerability score of this flaw is 6.5). All other vulnerabilities have scores of 7.5 or lower.

Of the 88 released updates, 6 patch holes directly in Oracle’s Database Server and 6 others might affect it indirectly via Enterprise Manager Grid Control. Of the Grid Control vulnerabilities, attackers can exploit 4 remotely without authentication. The Oracle Fusion middleware software received 11 advisories, some of which affect Java and therefore also JRockit. Additionally, 17 patches released for Oracle FLEXCUBE, 11 affect PeopleSoft Enterprise and 6 relate to MySQL. Oracle also released several patches for Solaris.

Details about the patched vulnerabilities are still sparse as the company is trying to prevent attackers from reverse engineering the fixes before users have had a chance to deploy them. In an earlier out-of-band update to MySQL, this strategy failed when Oracle accidentally released a proof of concept for exploiting a vulnerability along with a security patch.

Executive Summaries of the vulnerabilities are in the security advisory and the company recommends users install the patches as soon as they become available because of “the threat posed by a successful attack.”

As Java has suffered vulnerabilities of late, the next round of updates on June 12 2012 will patch security holes in the Java Runtime Environment as part of its Java SE Critical Patch Updates, according to Oracle’s Critical Patch Updates and Security Alerts page.

Leave a Reply

You must be logged in to post a comment.