By Eric P. Maurice on Jan 14, 2014
Hello, this is Eric Maurice.
Oracle released the January 2014 Critical Patch Update today. This Critical Patch Update provided fixes for 144 new security vulnerabilities across a wide range of product families, including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle FLEXCUBE, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.
The January 2014 Critical Patch Update provided 5 fixes for the Oracle Database. The maximum CVSS Base Score for these database vulnerabilities was 5.0. This score was for one vulnerability (CVE-2013-5853), which also happened to be the only remotely exploitable without authentication database vulnerability in this Critical Patch Update.
This Critical Patch Update provided 22 security fixes for Oracle Fusion Middleware, 19 of which were for vulnerabilities that were remotely exploitable without authentication. The most severe CVSS Base Score for these vulnerabilities is 10.0. This score is for vulnerability CVE-2013-4316 which affects Oracle WebCenter Sites (versions 220.127.116.11.1 and 18.104.22.168.0).
Oracle Hyperion received 2 new security fixes. One of these vulnerabilities (CVE-2013-3830) received a CVSS Base Score of 7.1, which denotes a complete compromise if successfully exploited, but also requires a single authentication from the attacker.
This Critical Patch Update also included a number of fixes for Oracle applications. 4 security fixes are for Oracle E-Business Suite (one of the vulnerabilities may be remotely exploitable without authentication), 16 security fixes are for Oracle Supply Chain Products Suites (6 of the vulnerabilities may be remotely exploitable without authentication), 17 security fixes are for Oracle PeopleSoft Enterprise (10 of the vulnerabilities may be remotely exploitable without authentication). 2 security fixes are for Oracle Siebel CRM (one of the vulnerabilities may be remotely exploitable without authentication), etc.
This Critical Patch Update also provided 36 security fixes for Java SE. 34 of these Java SE vulnerabilities may be remotely exploitable without authentication. Only 3 of these vulnerabilities are relevant to Java SE or JSSE server deployments, but are not server side specific (that is they also affect client deployments). The maximum CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0. This score affects 5 vulnerabilities (one of them being applicable to server deployments, that is, it can be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets).
As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible. While a successful exploitation of a number of the vulnerabilities addressed by this Critical Patch Update may not be possible in many customers’ deployments because the affected component is not installed or cannot be easily accessed by malicious attacker, a prompt application of the Critical Patch Update will help ensure that “security in depth” is maintained in the environment. IT environments are dynamic in nature, and systems configurations and security controls (e.g., network access control policies) often change over time. Applying the Critical Patch Update and other vendors’ relevant security patches helps ensure that the related security controls continue to work, should one of the systems fail or its control be circumvented during an attack.
In 2014, the Critical Patch Update program remains Oracle’s primary mechanism for the release of security fixes across all Oracle product families. The recent inclusion of Java SE in the standard Critical Patch Update release schedule has resulted in an increase in the relative size of each Critical Patch Update release since Java SE’s inclusion in October 2013. From a Java SE perspective, this inclusion also meant that security fixes are released for Java SE in 4 annual scheduled releases (as opposed to 3 annual releases prior to the Oracle acquisition of Sun Microsystems.) The schedule of the Critical Patch Update (on the Tuesday closest to the 17th of the months of January, April, July, and October), as well as the frequency of this security patching schedule, is based largely on customers’ feedback who desire a balance between a high level of predictability for managing their systems as well as a reasonable frequency in the release of security patches so as to maintain a proper security posture. As such, from an Oracle perspective, “time to fix” (length of time between discovery of the bug or initial reporting and delivery of the fix) is not as relevant a figure as “time to patch” (length of time between discovery of the bug or initial reporting and application of the fix by all affected customers).
For More Information:
The January 2014 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html.