Oracle has Busy Critical Patch Day

Thursday, January 17, 2013 @ 04:01 PM gHale

Oracle released its quarterly Critical Patch Update, which totaled 86 security updates across all major product lines including Oracle Database and MySQL Server.

The most serious vulnerability may be a critical privilege escalation vulnerability (CVE-2012-3220) in Oracle Database Server. An attacker who ends up authenticated and has the Create Table privilege can exploit this flaw to gain control of the underlying Windows systems.

Oracle Fixes Java; Fed Warning Remains
ColdFusion Flaws Patched
Microsoft Sends Out Software Patches
Google Bans Auto Install

“This type of vulnerability would likely be exploited in conjunction with another attack to elevate privileges from the database to the operating system,” said Ross Barrett, senior manager of security engineering at Rapid7. “Oracle Database is their flagship product and to say it is widely deployed is putting it mildly.”

Oracle has been under harsh criticism this year, primarily for a Zero Day vulnerability in Java 1.7u10. Exploits for the previously undisclosed flaw were in a number of exploit kits and attacks that are already out in the wild dropping ransomware and assorted other malware.

Oracle did respond quickly with an out-of-band Java 1.7 u11 update that addressed the sandbox-bypass vulnerability, but security experts – even the Department of Homeland Security — still recommend disable Java and warn there are ways to bypass the security enhancements in the latest Java update.

The quarterly Oracle CPU releases do not include Java updates; the next scheduled Java security release is Feb. 19.

In addition to the Oracle Database Server patch, five more were for Oracle Database Mobile/Lite Server. All five are remotely exploitable and without the need for authentication. The mobile server is in embedded systems and smartphones, including Android and BlackBerry.

Barrett said these vulnerabilities could remain unpatched in some organizations for some time because of the difficulty in updating mobile systems.

“The average user of an application with Oracle Database Mobile/Lite is likely at the mercy of third party vendors and ISPs who may or may not feel it is cost effective to roll out an update,” he said.

Organizations deploying MySQL Server are looking at 18 new updates, two of them (CVE-2012-1702 and CVE-2012-0383) remotely exploitable without authentication, Oracle said. Two other privilege escalation vulnerabilities (CVE-2012-5611 and CVE-2012-5612) could enable an attacker to gain control over the underlying Windows system as well; both would require authentication.

Oracle also cautions against five remotely exploitable vulnerabilities in Oracle Fusion Middleware; this product includes Oracle Database components affected by vulnerabilities patched in this CPU as well. The severity of exposure, Oracle said, depends on the database version used.

Remotely exploitable vulnerabilities totaling 13 ended up patched in Oracle Enterprise Manager Grid Control. None of the patches apply to client-only installations. This product includes Oracle Database and Fusion Middleware components patched in this CPU.

Patches for a number of Oracle applications released Tuesday, including nine for Oracle E-Business Suite (seven of which are remotely exploitable), 12 in Oracle PeopleSoft (seven remotely exploitable), 10 in Oracle Siebel CRM (five remotely exploitable), and one each in Oracle Supply Chain Products Suite and Oracle JD Edwards Products.

Oracle also released eight patches for its Sun Products Suite, seven of which are in the Solaris operating system. All require multiple levels of authentication and only one is remotely exploitable, a vulnerability in Sun Storage Array Manager that would allow an attacker read access to data.

Oracle also patched its Oracle Virtualization VirtualBox product, repairing a low-risk flaw.

Leave a Reply

You must be logged in to post a comment.