Hi, this is Eric Maurice!
Today Oracle released the January 2009 Critical Patch Update (CPUJan2009).
The Critical Patch Update (CPU) includes fixes for 41 new security vulnerabilities across several product families, including: Oracle Database Server, Oracle Times Ten, Oracle Secure Backup, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, and Oracle WebLogic.
Ten of the 41 vulnerabilies affect Oracle Database Server, and none of the ten are remotely exploitable without authentication. Two of the Oracle Database Server fixes are for the SQL*Plus Windows GUI; as such they impact client-only installations.
This Critical Patch Update also addresses nine vulnerabilities in Oracle Secure Backup, a stand-alone solution for centrally managing backup tapes. Four of the Oracle Secure Backup vulnerabilities were reported on the CPU documentation with a CVSS Base Score of 10.0. Note however that this CVSS Base Score of 10.0 only affects the Windows platform. For Linux, Unix, and other platforms, these vulnerabilities would yield a relatively lower severity score of 7.5. This differentiation in CVSS Base Scores is due to operating system differences, which allow a successful exploitation of one of the vulnerabilities to result in a take over of the operating system in a Windows environment, but not on other platforms (Linux, Unix, etc.). A 10.0 CVSS Base Score denotes instances where a complete takeover of the underlying platform where a compromised application executes is possible (causing an attacker to “own” the targeted machine). A 7.5 CVSS Base Score denotes instances where the compromise is somewhat limited to the compromised application. Finally, note that none of the vulnerabilities fixed in this Critical Patch Update affect the most recent release of Oracle Secure Backup (10.2.0.3).
This Critical Patch Update also addresses five new vulnerabilities in the Oracle Weblogic suite of products. One of these five vulnerabilities also received a CVSS Base Score of 10.0, and it affects the WebLogic Server Plugins for Apache, Sun and IIS web servers. The WebLogic plugin component has already been the subject of a couple of serious vulnerabilities. Two CVSS 10.0 vulnerabilities were recently fixed in this component: one with the most recent October 2008 Critical Patch Update and the other with an out of cycle Security Alert in August 2008. The discovery of these vulnerabilities has resulted in bringing a lot of attention on the WebLogic Server Plugin, and as a result, this component has been going through significant review, including an in-depth review by our ethical hacking team (a.k.a. “White Hat Hackers”), and of course various communications with Security Researchers who brought some of these issues to light. Finally, note that the fixes for the WebLogic plugins are cumulative, in other words, the most recent fix includes all previously released fixes.
In many ways, the remediation of severe vulnerabilities in the context of today’s Critical Patch Update with Oracle Secure Backup and the Oracle Weblogic Server plugins highlight the effectiveness of an ongoing Security Assurance effort, which involves the entire development organization, as well as internal security teams, and trusted Security Researchers. When looking back at the Critical Patch Updates, since January 2005, we can see that the most mature product lines (in term of their inclusion in Oracle Software Security Assurance programs, including the Critical Patch Update) are experiencing less critical vulnerabilities, and even, in some instances, a decrease in the number of vulnerabilities typically fixed in each Critical Patch Update. (Note that the size of the Critical Patch Update remains somewhat constant despite the continuously growing number of products that have joined the CPU process as a result of newly acquired product lines.) Of course, security professionals can never fully rest on their laurels because such progress can always be negated by the discovery of new attack methods, which would result in a “spike” in the number of fixes issued to address them.
As usual, I try to highlight the most notable content of the current Critical Patch Update in this blog. However, as indicated at the beginning of this blog, the current Critical Patch Update also includes new fixes for other product lines (Oracle EBusiness Suite, Oracle TimesTen, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle JDEdwards Enterprise One). Customers should therefore refer to the CPU Release Documentation to find more information about these patches. Oracle strongly encourages all customers to apply this CPU as soon as possible.
For More Information:
Critical Patch Updates & Security Alerts web site is located at: http://www.oracle.com/technology/deploy/security/alerts.htm
Oracle Software Security Assurance web site is located at: http://www.oracle.com/security/software-security-assurance.html
For more information about Oracle’s use of the CVSS standard, see: http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm
