By Eric P. Maurice on Jan 20, 2015
Hi, this is Eric Maurice.
Oracle today released the January 2015 Critical Patch Update. This Critical Patch Update provides 169 new fixes for security issues across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Siebel CRM, Oracle iLearning, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.
Out of these 169 vulnerabilities, 8 are for the Oracle Database. None of these database vulnerabilities are remotely exploitable without authentication, but a number of these vulnerabilities are relatively severe. The most severe of these database vulnerabilities (CVE-2014-6567) has received a CVSS Base Score of 9.0 to denote that a full compromise of the targeted server is possible on the Windows platform (for versions prior to Database 12c) but requires authentication (The CVSS Base Score for platforms other than Windows and for Database 12C on Windows is 6.5).
One database vulnerability (CVE-2014-6577) received a CVSS Base Score of 6.8. If successfully exploited, vulnerability CVE-2014-6577 can result in a complete confidentiality compromise of the targeted systems on database versions prior to 12c on the Windows platform. The CVSS Base Score for CVE-2014-6577 is 6.5 (the reported confidentiality impact value is "Partial+") for Database 12c on Windows and for all versions of the Database on Linux, Unix and other platforms.
Two database vulnerabilities received a CVSS Base Score of 6.5 (CVE-2014-0373 and CVE-2014-6578). The CVSS Base score of 6.5 for these vulnerabilities along with the Partial+ ratings indicate that a successful compromise of the vulnerabilities could result in a possible compromise of the entire database, but authenticating to the targeted system is required.
Because of the severity of these issues, Oracle highly recommends that this Critical Patch Update be applied against affected systems as soon as possible. As a reminder, the security risk matrices listed on the Critical Patch Update advisory lists the affected versions, and the accompanying patch availability document provides information about how to obtain the appropriate patches.
Note that, as discussed in a previous blog entry by Darius Wiles, the CVSS Special Interest Group has recently published a preview of the upcoming CVSS version 3.0 standard. A major improvement planned for this updated version of CVSS is the addition of a Scope metric that will provide a more generic way to indicate if the impact of a vulnerability extends beyond the component that contains the vulnerability. As a result, this new ‘Scope’ metric will eliminate the need for Oracle to use a Partial+ custom score.
This Critical Patch Update provides 36 new fixes for Oracle Fusion Middleware products. The most severe of these Fusion Middleware vulnerabilities has received a CVSS Base Score of 9.3. Two of the Oracle Fusion Middleware vulnerabilities fixed in this Critical Patch Update can result in a server takeover (CVE-2011-1944 and CVE-2014-0224).
This Critical Patch Update provides a number of security fixes for Oracle Applications, including 10 new fixes for Oracle E-Business Suite, 6 for Oracle Supply Chain Suite, 7 for Oracle PeopleSoft Enterprise, one for Oracle JDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for Oracle iLearning. Oracle Applications customers should apply these fixes as soon as possible, as well as apply other relevant fixes in the Oracle stack as prescribed in the Critical Patch Update Advisory and associated documentations. It is also very important that application customers remain on actively support versions from Oracle so that they can benefit from Oracle’s ongoing security assurance effort, and continue to get security fixes which are thoroughly tested across the Oracle stack. Customers who have these applications hosted on their behalf should ensure that their service providers apply these patches in a timely fashion upon successful testing.
This Critical Patch Update also provides 29 new security fixes for the Oracle Sun Systems Products Suite. The highest CVSS Base Score reported for these vulnerabilities is 10.0. This vulnerability (CVE-2013-4784) affects XCP Firmware versions prior to XCP 2232. Note that per Oracle’s Lifetime Systems Support Policy; Oracle will no longer systematically assess new security vulnerabilities against Solaris 8 and Solaris 9.
This Critical Patch Update delivers 19 new security fixes for Oracle Java SE. The most severe of these vulnerabilities received a CVSS Base Score of 10.0. This score is reported for 4 distinct Java SE client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408). Out of these 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations. This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.
It is very important to note that, with this Critical Patch Update, Oracle will change the behavior of Java SE in regards to SSL. This Critical Patch Update will disable by default the use of SSL version 3.0. SSL v3.0 is widely regarded as an obsolete protocol, and this situation is aggravated by the POODLE vulnerability (CVE-2014-3566). As a result, this protocol is being widely targeted by malicious hackers.
Organizations should disable the use of all versions of SSL as they can no longer rely on SSL to ensure secure communications between systems.
Customers should update their custom code to switch to a more resilient protocol (e.g., TLS 1.2). They should also expect that all versions of SSL be disabled in all Oracle software moving forward. A manual configuration change can allow Java SE clients and server endpoints, which have been updated with this Critical Patch Update, to continue to temporarily use SSL v3.0. However, Oracle strongly recommends organizations to phase out their use of SSL v3.0 as soon as possible.
For More Information:
The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
See Darius Wiles’ blog entry about upcoming changes to the CVSS Standard at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview