Hi, this is Eric Maurice.
Oracle today released the January
2015 Critical Patch Update. This Critical
Patch Update provides 169 new fixes for security issues across a wide range
of product families including: Oracle Database, Oracle Fusion Middleware,
Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite,
Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Siebel
CRM, Oracle iLearning, Oracle Java SE, Oracle Sun Systems Products Suite,
Oracle Linux and Virtualization, and Oracle MySQL.
Out of these 169 vulnerabilities, 8 are for the Oracle
Database. None of these database
vulnerabilities are remotely exploitable without authentication, but a number
of these vulnerabilities are relatively severe. The most severe of these database vulnerabilities (CVE-2014-6567) has
received a CVSS Base Score of 9.0 to denote that a full compromise of the
targeted server is possible on the Windows platform (for versions prior to
Database 12c) but requires authentication (The CVSS Base Score for platforms
other than Windows and for Database 12C on Windows is 6.5).
One database vulnerability (CVE-2014-6577) received a CVSS
Base Score of 6.8. If successfully
exploited, vulnerability CVE-2014-6577 can result in a complete confidentiality
compromise of the targeted systems on database versions prior to 12c on the
Windows platform. The CVSS Base Score
for CVE-2014-6577 is 6.5 (the reported confidentiality impact value is
"Partial+") for Database 12c on Windows and for all versions of the Database
on Linux, Unix and other platforms.
Two database vulnerabilities received a CVSS Base Score of
6.5 (CVE-2014-0373 and CVE-2014-6578). The
CVSS Base score of 6.5 for these vulnerabilities along with the Partial+
ratings indicate that a successful compromise of the vulnerabilities could
result in a possible compromise of the entire database, but authenticating to
the targeted system is required.
of the severity of these issues, Oracle highly recommends that this Critical
Patch Update be applied against affected systems as soon as possible. As a reminder, the security risk matrices
listed on the Critical Patch Update advisory lists the affected versions, and
the accompanying patch availability document provides information about how to
obtain the appropriate patches.
Note that, as discussed in a
previous blog entry by Darius Wiles, the CVSS Special Interest Group has
recently published a preview of the upcoming CVSS version 3.0 standard. A major improvement planned for this updated
version of CVSS is the addition of a Scope metric that will provide a more
generic way to indicate if the impact of a vulnerability extends beyond the component
that contains the vulnerability. As a
result, this new ‘Scope’ metric will eliminate the need for Oracle to use a
Partial+ custom score.
Critical Patch Update provides 36 new fixes for Oracle Fusion Middleware
products. The most severe of these
Fusion Middleware vulnerabilities has received a CVSS Base Score of 9.3. Two of the Oracle Fusion Middleware
vulnerabilities fixed in this Critical Patch Update can result in a server
takeover (CVE-2011-1944 and CVE-2014-0224).
Critical Patch Update provides a number of security fixes for Oracle
Applications, including 10 new fixes for Oracle E-Business Suite, 6 for Oracle
Supply Chain Suite, 7 for Oracle PeopleSoft Enterprise, one for Oracle
JDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for Oracle
iLearning. Oracle Applications customers
should apply these fixes as soon as possible, as well as apply other relevant
fixes in the Oracle stack as prescribed in the Critical Patch Update Advisory
and associated documentations. It is
also very important that application customers remain on actively support
versions from Oracle so that they can benefit from Oracle’s ongoing security
assurance effort, and continue to get security fixes which are thoroughly
tested across the Oracle stack. Customers who have these applications hosted on their behalf should
ensure that their service providers apply these patches in a timely fashion
upon successful testing.
Critical Patch Update also provides 29 new security fixes for the Oracle
Sun Systems Products Suite. The highest
CVSS Base Score reported for these vulnerabilities is 10.0. This vulnerability
(CVE-2013-4784) affects XCP Firmware versions prior to XCP 2232. Note that per Oracle’s
Lifetime Systems Support Policy; Oracle will no longer systematically
assess new security vulnerabilities against Solaris 8 and Solaris 9.
Critical Patch Update delivers 19 new security fixes for Oracle Java
SE. The most severe of these
vulnerabilities received a CVSS Base Score of 10.0. This score is reported for 4 distinct Java SE
client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and
CVE-2015-0408). Out of these 19
vulnerabilities, 15 affect client-only installations, 2 affect client and
server installations, and 2 affect JSSE installations. This relatively low historical number for
Oracle Java SE fixes reflect the results of Oracle’s
strategy for addressing security bugs affecting Java clients and improving
security development practices in the Java development organization.
It is very important to note that, with this
Critical Patch Update, Oracle will change the behavior of Java SE in
regards to SSL. This Critical Patch
Update will disable by default the use of SSL version 3.0. SSL v3.0 is widely regarded as an obsolete
protocol, and this situation is aggravated by the POODLE
vulnerability (CVE-2014-3566). As a
result, this protocol is being widely targeted by malicious hackers.
Organizations should disable the use of all versions of SSL
as they can no longer rely on SSL to ensure secure communications between
Customers should update their custom code to switch to a
more resilient protocol (e.g., TLS 1.2). They should also expect that all versions of SSL be disabled in all
Oracle software moving forward. A manual
configuration change can allow Java SE clients and server endpoints, which have
been updated with this Critical Patch Update, to continue to temporarily use
SSL v3.0. However, Oracle strongly
recommends organizations to phase out their use of SSL v3.0 as soon as
For More Information:
The Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
See Darius Wiles’ blog entry about upcoming
changes to the CVSS Standard at https://blogs.oracle.com/security/entry/cvss_version_3_0_preview