Friday Jul 20, 2012

Use of the Common Vulnerability Reporting Format (CVRF) for Oracle’s Security Advisories

Hi, this is Reshma Banerjee. I am a member of the Security Alerts group within the Global Product Security Team at Oracle. My primary responsibilities include working with security researchers on the vulnerabilities they report to Oracle and engaging with the various engineering organizations at Oracle to ensure timely delivery of security fixes in the Critical Patch Updates and Security Alerts.

As announced in a previous blog entry, starting with the July 2012 Critical Patch Update, Oracle will be producing the security advisory in an XML format that conforms to Common Vulnerability Reporting Format (CVRF version 1.1). Of course, Oracle will also continue to produce its Security Alert and Critical Patch Update advisories using the existing format (As a reminder, all Security Alert and Critical Patch Update Advisories are published at http://www.oracle.com/technetwork/topics/security/alerts-086861.html).

The Common Vulnerability Reporting Framework is an XML-based standard that enables sharing of vulnerability information in a machine-readable format. Originally derived from the Internet Engineering Task Force (IETF) draft Incident Object Description Exchange Format (IODEF), this format was then developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI is a non-profit forum which enables industry collaboration for the development of security solutions and practices to address global security challenges. Oracle is a member of ICASI.

CVRF is a good example of a useful work-product that can come up from such a pragmatic forum of security-dedicated organizations. It provides an XML format that may be used by any vendor to publish relevant information pertaining to vulnerabilities. This includes among other useful information CVE# to identify vulnerability, CVSS score to rate the relative severity of a vulnerability, affected products and versions, mitigation instructions. We believe that CVRF will help customers with diverse IT environments be more efficient in assessing and processing security vulnerability advisories from different IT vendors. Having been personally involved with CVRF since the summer of 2009, I believe CVRF provides two key benefits:

(1) It provides a consistent way to depict security information thus simplifying the interpretation of the advisories, and

(2) It provides a machine-readable format for the interpretation of security advisories, thus allowing automation (and integration of the advisories in, for example, vulnerability scanning tools).

In absence of common security advisory format, IT industry vendors publish their security advisories and bulletins using their own proprietary format. Most organizations have to contend with heterogeneous IT infrastructure and therefore need to deal with multiple vendors. Consequently, security-conscious organizations need to deal with interpreting security advisories from multiple vendors. While security advisories from the various different IT vendors may include similar information, the differences in format and terminology cause, at best, customers to waste a lot of time interpreting security advisories, and at worst, these differences create confusion and errors as a result of the different terminology being used. To a large extent, this problem is similar to the problem that existed prior to the wide adoption of the Common Vulnerability and Exposures number (CVE #) with the identification of individual vulnerabilities.

As IT vendors adopt CVRF, and use it in their security advisories and bulletins, it will become much easier for customers to interpret relevant security information. In addition, customers will be able to more easily write their own automation tools to get the pertinent information from the various advisories without having to cope with multiple formats. Customers will also be able to write tools to automate the action to be taken if they find information in the advisories that affects them. Oracle plans to continue contributing to the CVRF working group and providing CVRF advisories with future Critical Patch Updates and Security Alerts.

For more Information:

ICASI’s web site is located at http://www.icasi.org/

More information on CVRF 1.1 is located at http://www.icasi.org/cvrf-1.1

Tuesday Jul 17, 2012

July 2012 Critical Patch Update Released

Hi, this is Eric Maurice again.

Oracle has just released the July 2012 Critical Patch Update.  This Critical Patch Update delivers a total of 87 new fixes across a number of product families including: Oracle Database, Oracle Application Express, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle Applications, and the Oracle Sun product suites.

For the first time, in addition to the usual advisories, Oracle is producing the Critical Patch Update advisory in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1.  CVRF is an XML language intended for the sharing of security-related information in a machine-readable fashion.  This format has been designed by the Industry Consortium for Advancement of Security on the Internet (ICASI), of which Oracle is a member.  In a future blog post, we will discuss CVRF in more detail, particularly to highlight its benefit as a means to enable the sharing of vulnerability-related information in a way that can be interpreted by a wide range of systems.

Out of these 87 new security fixes, 4 are for the Oracle Database.  The highest CVSS Base Score for these database vulnerabilities is 5.0.  3 of these 4 vulnerabilities are remotely exploitable without authentication; however 2 of these vulnerabilities affect the Database on the Windows platform only. 

In addition, this Critical Patch Update includes 1 fix for the Oracle Application Express Listener, 2 new fixes for Oracle Secure Backup, and 1 new fix for Oracle Enterprise Manager. 

With this Critical Patch Update, Oracle Fusion Middleware receives 22 new fixes.  The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0, but this score affects a series of Java Runtime Environment issues in JRockit.  These Java SE fixes were previously released in the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update also includes a new security fix for Oracle Hyperion.

This Critical Patch Update provides the following applications security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 9 for Oracle PeopleSoft Enterprise, 7 for Oracle Siebel CRM, and 1 for Oracle Life Sciences.

 Finally, the Oracle Sun product suites receive 24 new security fixes, and MySQL gets 6 new security fixes.   The highest CVSS Base Score for the Sun product suites vulnerabilities is 7.8. 

As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible.  This is particularly important as our experience has shown that potentially malicious hackers comb through vendors’ advisories and often attempt to reverse-engineer the fixes contained in them to develop new exploits. 

Customers seeking recommendations for applying the Critical Patch Update should refer to the “Recommendations for leveraging the Critical Patch Update and maintaining a proper security posture” white paper available on Oracle’s web site.  In addition, customers are encouraged to take advantage of the broad range of resources, tools, and best practices available on My Oracle Support.

For more information:

·         The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/index.html

·         The July 2012 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

·         Information about Oracle Support resources, tools, and best practices are available at http://www.oracle.com/us/support/best-practices/overview/index.html

 

 

Tuesday Jun 12, 2012

June 2012 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle just released the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update provides 14 new security fixes across Java SE products.  As discussed in previous blog entries, Critical Patch Updates for Java SE will, for the foreseeable future, continue to be released on a separate schedule than that of other Oracle products due to previous commitments made to Java customers. 

12 of the 14 Java SE vulnerabilities fixed in this Critical Patch Update may be remotely exploitable without authentication.  6 of these vulnerabilities have a CVSS Base Score of 10.0.  In accordance with Oracle’s policies, these CVSS 10 scores represent instances where a user running a Java applet or Java Web Start application has administrator privileges (as is typical on Windows XP).  When the user does not run with administrator privileges (typical on the Solaris and Linux operating systems), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability for these vulnerabilities would be "Partial" instead of "Complete", thus lowering these CVSS Base Scores to 7.5.

Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible:

In addition, Oracle recommends removing old an unused versions  of Java as the latest version is always the recommended version as it contains the most recent enhancements, and bug and security fixes. 

For more information:

•Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml 

•Users can verify that they’re running the most recent version of Java by visiting: http://java.com/en/download/installed.jsp  

•The Advisory for the June 2012 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

Monday Apr 30, 2012

Security Alert for CVE-2012-1675 Released

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2012-1675 to address the “TNS Listener Poison Attack” in the Oracle Database.  With a CVSS Base Score of 7.5, this vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database.

In the April 2012 Critical Patch Update, Oracle provided Security-in-Depth recognition to Joxean Koret.  As stated in the Critical Patch Update advisories, “People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

As stated in previous blog entries, Oracle fixes vulnerability first in the main code line, and then tries to backport fixes through the Critical Patch Update program for exploitable vulnerabilities that were externally reported.  In certain instances, such backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions, or because there is no reasonable way to automate the application of the fix (for example when user interaction is required to change configuration parameters). 

Shortly after the release of the Critical Patch Update, mistakenly assuming that the issue had been backported through the CPU, Joxean Koret, the initial reporter of this vulnerability, fully disclosed its details, initially stating that it had been fixed by Oracle, then after realizing that it had not been fixed in current releases, reported the vulnerability as a “0-day.”  

As a result of this disclosure, Oracle has issued Security Alert CVE-2012-1675 to provide customers with a number of technical measures to provide effective defense against this vulnerability in all deployment scenarios.

Customers on single-node configurations (i.e., non Real Application Cluster (RAC) customers) should refer to the My Oracle Support Note titled “Using Class of Secure Transport (COST) to Restrict Instance Registration” (Doc ID 1453883.1) to limit registration to the local node and the IPC protocol through the COST (Class Of Secure Transport) feature in the listener.

RAC and Exadata customers should refer to the My Oracle Support Note “Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC” (Doc ID 1340831.1) to implement similar COST restrictions. 

Note that implementing COST restrictions in RAC environments require the use of SSL/TLS encryption.  Such network encryption features were previously only available to customers who were licensed for Oracle Advanced Security.  However, RAC customers who were previously not licensed for Oracle Advanced Security need not be concerned about a licensing restriction as Oracle has updated its licensing to allow these customers the use of these features (namely SSL and TLS) to protect themselves against vulnerability CVE-2012-1675.  In other words, Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options, and added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters.

Considering that the technical details of vulnerability CVE-2012-1675 have now widely been distributed, Oracle highly recommends that customers make the configuration changes documented in the above mentioned My Oracle Support Notes as soon as possible.  Customers should also feel free to contact Oracle Support if they have questions or concerns.

For More Information:

Tuesday Apr 17, 2012

April 2012 Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle has just released the April 2012 Critical Patch Update. This Critical Patch Update provides 88 new security fixes across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle FLEXCUBE, Oracle Siebel Clinical Trial Management System, Oracle Primavera, Oracle Sun products suite, and Oracle MySQL.

Of the 88 new vulnerabilities, 6 directly affect Oracle Database Server. The highest CVSS Base Score for these Database Server vulnerabilities is 9.0. This Base Score affects the Oracle Spatial component on Windows platforms (on non-Windows platforms, i.e., Linux, Unix, the CVSS Base Score is 6.5). In addition, 6 Enterprise Manager Grid Control fixes may be relevant to Database Server deployments. The highest CVSS Base Score for the Enterprise Manager Grid Control vulnerabilities is 5.8; but 4 of the 6 vulnerabilities can be remotely exploitable without authentication. Therefore, Oracle highly recommends that these fixes be applied as soon as possible.

This Critical patch Update also includes 11 new security fixes for Oracle Fusion Middleware. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0 (for vulnerability CVE-2012-1695). This score affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit. Starting again with this Critical Patch Update, JRockit fixes will no longer be provided with the Critical Patch Update for Java SE, but be provided in “the normal” Critical Patch Update along with other Oracle Fusion Middleware fixes.

This Critical Patch Update provides the following application security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 15 for Oracle PeopleSoft Enterprise, 2 for Siebel Clinical Trial Management System, 17 for Oracle FLEXCUBE, and 1 for Oracle Primavera Enterprise Project Management.

Finally, this Critical Patch Update provides 15 new security fixes for the Oracle Sun Products Suite (including Oracle Grid Engine, Oracle Glassfish Enterprise Server, Oracle Solaris, etc.) and 6 new security fixes for Oracle MySQL.

While a great amount of caution is required when analyzing the content of the Critical Patch Updates in an attempt to identify potential trends; I believe the content of this Critical Patch Update is consistent with the views expressed in previous blog entries: Oracle Software Security Assurance activities tend to result in lowering the number of exploitable security bugs in most mature product lines (that is the product lines who have implemented Oracle secure development practices for the longest time), and as a result we see a downward trend in the number of fixes for these product lines. On the other hand, newly acquired product lines often experience relatively large number of security fixes in the Critical Patch Updates. This is due in part to the increased visibility these products may get as a result of their acquisition by Oracle, as well as development’s access to an extended toolset (e.g., security scanning tools) and increased executive attention around security matters as a result of joining Oracle.

For More Information:

The April 2012 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

 

Thursday Mar 29, 2012

Security Alert for CVE-2011-5035 Updated

Hi, this is Eric Maurice again. 

Oracle has just updated the Security Alert for CVE-2011-5035 to announce the availability of additional fixes for products that were affected by this vulnerability through their use of the WebLogic Server and Oracle Container for J2EE components.  As explained in a previous blog entry, a number of programming language implementations and web servers were found vulnerable to hash table collision attacks.  This vulnerability is typically remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password.  If successfully exploited, malicious attackers can use this vulnerability to create denial of service conditions against the targeted system.

A complete list of affected products and their versions, as well as instructions on how to obtain the fixes, are listed on the Security Alert Advisory.  Oracle highly recommends that customers apply these fixes as soon as possible.

Tuesday Feb 14, 2012

February 2012 Critical Patch Update for Java SE Released

Hello, this is Eric Maurice.

Oracle just released the February 2012 Critical Patch Update for Java SE. This Critical patch Update provides fixes for 14 new security vulnerabilities affecting the Java Runtime Environment and JavaFX. The most severe CVSS Base Score for these vulnerabilities is 10.0 denoting a potentially complete compromise of the targeted systems on the Windows platform (e.g. Windows XP). Out of the 14 new vulnerabilities fixed in this Critical Patch Update, 6 affect server deployments of Java SE , including the vulnerability in the Lightweight HTTP server. This means that they can be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.

When computing CVSS Base Scores, Oracle assumes the worst scenario: in the instance of the Critical Patch Update for Java SE, we assume that a user running a Java applet or Java Web Start application has administrator privileges as is typical on the Windows XP platform. On other platforms, for example Solaris and Linux, users do not routinely operate with administrator privileges. On non-Windows platform, the corresponding CVSS scores for those vulnerabilities reported as 10.0 in the Risk Matrix, for the Confidentiality, Integrity, and Availability impacts are "Partial" (instead of the worst-scenario "Complete" reported in the risk matrix), thus lowering the CVSS Base Score for non-Windows platforms to 7.5.

While a small number of people have criticized Oracle for its strict application of the CVSS Standard, particularly as it relates to the difference between “Partial+” and “Complete,” there is a fundamental difference between vulnerabilities whose impact are limited to the affected application and those that result in a full compromise of the targeted system down to the operating system.  In instances of full compromise down to the Operating System, the targeted systems can be maliciously repurposed (to serve malware for example), audit trails can be compromised, and in the case of a compromised server, the “chain of trust” that may exist between the affected server and other systems in the environment can be compromised. In other words, a full compromise down to the operating system pose a threat that can be significantly greater than that of a compromise limited to a layer above the operating system. In addition, forensic responses will be different (as the investigatory and evidentiary values of the logs will be different).

Hundreds of millions of lines of code in Oracle’s codebase are written in Java. Following the Sun acquisition, Oracle has added additional resources to focus on Java security, including multipliying development staff dedicated to Java security. In addition, the Java development team is able to leverage a toolset, including code scanning tools, that was not previously available to them. With these new resources available to them as a result of the Oracle acquisition, the Java development team is weeding out security bugs in Java, and is looking at ways to further improve the security posture provided by Java to its users.

For more information:

 

Tuesday Jan 31, 2012

Security Alert for CVE-2011-5035 Released

Hello, this is Eric Maurice.

Oracle just released a Security Alert for CVE-2011-5035.  In recent weeks, it was widely reported in the security community that a number of programming language implementations and web servers were vulnerable to hash table collision attacks.  US-CERT (United States Computer Emergency Readiness Team) has posted a detailed explanation of this issue (VU#903934) on its web site.

This vulnerability affects a significant number of products from Oracle and other vendors.  It is particularly severe as it could allow a malicious attacker to create a denial of service condition against the targeted system through an easy unauthenticated attack over the Internet.

Today’s Security Alert provides fixes to address this issue in Oracle WebLogic Server, Oracle iPlanet Web Server, and Oracle Containers for J2EE.  As usual, the availability of the fixes is noted in the Patch Availability Documents listed in the Security Alert Advisory.  Note that these fixes were not included in the  January 2012 Critical Patch Update, which however included the corresponding fix for Oracle GlassFish server.

Due to the threat posed by this vulnerability, particularly because of its ease of exploitation and the wide interest it has received in the hacking community, Oracle strongly recommends that customers apply this Security Alert as soon as possible.  Users of affected non-Oracle products should contact their respective vendor as soon as possible to obtain the appropriate fix.

For More Information:
The Advisory for Security Alert for CVE-2011-5035 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2011-5035-1506603.html

Tuesday Jan 17, 2012

Learning More About Oracle Database Systems Change Number (“SCN”)

Hi, this is Eric Maurice again.

On January 17th 2012, Oracle released the January 2012 Critical Patch Update. This Critical Patch Update provided two new fixes for the Oracle Database. As usual, Oracle recommended a prompt application of the Critical Patch Update, but additionally, in the blog entry accompanying the release of the Critical Patch Update, I emphasized that Database customers should apply the Database fixes as soon as possible, explaining that the first, relatively easy to exploit, Database vulnerability could result in a complete denial of service of the Database, and that the second issue may have wider non-security implications for the databases of a very small number of customers.

In this blog entry, we are going to further discuss this second database issue, listed in the January 2012 Critical Patch Advisory as CVE-2012-0082. Note that Oracle has posted on My Oracle Support a detailed technical note on this issue along with specific recommendations for Oracle customers (See My Oracle Support Note 1376995.1).

First, let’s look at what Systems Change Numbers (SCNs) are, and why they’re important. As stated in My Oracle Support Note 1376995.1, the “System Change Number”, or SCN, is a special number used to identify database transactions. SCN values are used in many places – among other things, they are persisted within database blocks; are stored in redo records; and are used to help coordinate distributed transactions. Oracle has designed its database so that at any given point in time there is a maximum SCN value that the current SCN should not sensibly exceed – this is called the “Maximum reasonable SCN”. It is important to note that this maximum value is not a fixed value, but rather is a function of the current system time, and therefore grows over time.

In November 2011, journalists from InfoWorld contacted Oracle and stated that in a number of specific instances it appeared that the SCN of a database could grow at an excessive rate, and that this excessive SCN value could be propagated to other databases in the same environment through, among other things, database links. Oracle quickly determined that this temporary SCN exhaustion issue could have certain security implications, and as a result, in accordance with Oracle policies, Oracle handled this issue as a security bug. As a result of Oracle’s handling of the issue as a security bug, Oracle treated InfoWorld as a security researcher, and since the magazine followed responsible disclosure guidelines, InfoWorld received credit in the Critical Patch Update Advisory.

The specific conditions that could result in a temporary SCN exhaustion are complex. Oracle’s development and security teams quickly worked together to understand all the aspects of this multifaceted issue. These groups first needed to determine under which conditions SCN values could grow at an excessive rate. This meant producing diagnosing and troubleshooting scripts, documenting technical recommendations, and producing fixes for the components causing such a SCN growth to occur. In addition, this issue had to be explored from a security perspective to determine if it could be used by malicious attackers. Finally, fixes and utilities needed to be packaged for distribution (e.g. inclusion of a SCN-related Healthcheck on My Oracle Support, and patches provided through the January 2012 Critical Patch Update), and technical recommendations needed to be properly tested and documented so that they could be shared with the small number of customers who may have been at risk of running out of “SCN headroom”.

Now, let’s have a look at Oracle’s recommendations in regards to managing SCN growth in the Database environment. Oracle included in the January 2012 Critical Patch Update the “scnhealthcheck.sql” script (Patch:13498243). This script can be executed with DBA privileges and will report as to the health of the SCN growth in the database. This script is intended to provide customers with a sense of comfort that they’re not about to run out of SCN headroom, as well as potentially identify additional customers who may be running out of SCN values in their environment so that they can proactively take corrective actions.

The script will report a value of either “A”, “B”, or “C.”

If “A - SCN Headroom is good” is reported, then the SCN health in the audited database is good. The vast majority of databases are expected to fall into this group. Customers should then ensure that all their interconnected databases are patched to current level.  . No additional action is required once the databases have been patched other than to set the parameter  “_external_scn_rejection_threshold_hours” = 24 on some database versions. The script output will advise if this parameter needs to be set. 

If “B- SCN Headroom is low” is reported, then SCN headroom is limited. Customers should then ensure that their databases are patched to the current level as soon as possible, preferably within a week, and set “_external_scn_rejection_threshold_hours” = 24  if advised to do so by the script. Once patched, customers should continue to monitor their SCN health daily by running the script, and will notice after several days or weeks that the “scnhealthcheck.sql” script will report “A”.

“C - SCN Headroom is low” will be reported in the very rare cases that customers are running out of SCN headroom. This will occur when the audited database appears to experience an excessively high rate of SCN increase. In such very rare instances, customers should immediately patch their databases to its current recommended level as listed by “My Oracle Support,” and set “_external_scn_rejection_threshold_hours” if advised to do so. In addition, Oracle recommends that these customers also follow the instructions located in My Oracle Support Note Note:1388639.1 to log a Service Request with Oracle Support so that further advice can be given and additional diagnosis performed if required.

For More Information:

My Oracle Support Note 1376995.1 is located at https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1376995.1

 

January 2012 Critical Patch Update Released

Hi, this is Eric Maurice again.

Oracle just released the January 2012 Critical Patch Update.  This Critical Patch Update provides fixes for 78 new security vulnerabilities affecting a wide range of Oracle products families including: Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Virtualization, Oracle Sun product suite, and Oracle MySQL.  Note again that security fixes for Java SE continue to be released on a different schedule because of commitments made before the completion of the Sun acquisition.

Out of the 78 new fixes, 2 affect the Oracle Database.  The maximum CVSS Base Score for the Database vulnerabilities fixed in this Critical Patch Update is 5.5, however Oracle considers these fixes to be important.  In a previous blog entry, we discussed how CVSS Base Scores are computed, and we highlighted the fact that the CVSS Base Score scale is designed to rate the severity of vulnerabilities ranging up to complete exploitation of the affected system down to the Operating System layer (CVSS Base Score greater than 7.5). 
One of the database vulnerabilities fixed in this Critical Patch Update has received a CVSS Base Score of 5.0.  It is a relatively easy to exploit vulnerability, which can result in a shutdown of the database (without compromising confidentiality or integrity of the information contained in it).  In other words, this vulnerability could allow an unauthenticated attacker to carry a denial of service attack against the targeted database, for example if it were to be exposed to the Internet.

Though not remotely exploitable without authentication, the other database fix provided in this Critical Patch Update is also important.  This database bug, which was also reported to Oracle by InfoWorld, may have wider non-security related consequences for a small number of customers.  Database customers are therefore strongly encouraged to apply this Critical Patch Update and consult My Oracle Support Note 1376995.1 for additional instructions.

11 of the 78 new fixes provided by this Critical Patch Update are for Oracle Fusion Middleware.  The highest CVSS Base Score for these Oracle Fusion Middleware bugs is 6.4. 

An additional 17 fixes affect the Oracle Sun product suite, including Solaris, Glassfish Enterprise Server, and OpenSSO.  The highest CVSS Base Score for these Sun product suite vulnerabilities is 7.8.

3 new fixes affect Oracle virtualization.  The maximum CVSS Base Score for these vulnerabilities is 3.7.  This score is related to a vulnerability affecting Oracle VM VirtualBox.

Finally, Oracle MySQL receives 27 fixes.  The maximum CVSS Base Score for these MySQL vulnerabilities is 5.5.  One of these vulnerabilities is remotely exploitable without authentication.  Note that this is the first time that MySQL fixes are being included in the Critical Patch Update.

Oracle continues to recommend that customers apply all security patches and keep up with newer releases as a means to continue to preserve their security posture.  As highlighted in this Critical Patch Update, the decreasing number of fixes produced for the most mature product lines in recent Critical Patch Updates should not be construed as an indication that Critical Patch Updates are becoming less important to the security posture of Oracle customers.  Furthermore, security research continues to show that unpatched systems remain an attractive target for malicious hackers.  Fortunately, Oracle customers can leverage a number of tools, including My Oracle Support, to keep up with recommended security and non-security releases.

 

For More Information:

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
11
12
13
14
16
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today