Hello, this is Eric Maurice again.
Oracle today released the October
2014 Critical Patch Update. This
Critical Patch Update provides fixes for 154 vulnerabilities across a number of
product families including: Oracle Database, Oracle Fusion Middleware, Oracle
Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain
Product Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle
Communications Industry Suite, Oracle Retail Industry Suite, Oracle Health
Sciences Industry Suite, Oracle Primavera, Oracle Java SE, Oracle and Sun
Systems Product Suite, Oracle Linux and Virtualization, and Oracle MySQL.
In today’s Critical
Patch Update Advisory, you will see a stronger than previously-used
statement about the importance of applying security patches. Even though Oracle has consistently tried to
encourage customers to apply Critical Patch Updates on a timely basis and
recommended customers remain on actively-supported versions, Oracle continues
to receive credible reports of attempts to exploit vulnerabilities for which
fixes have been already published by Oracle. In many instances, these fixes were published by Oracle years ago, but
their non-application by customers, particularly against Internet-facing
systems, results in dangerous exposure for these customers. Keeping up with security releases is a good
security practice and good IT governance.
Out of the 154 vulnerabilities fixed with today’s
Critical Patch Update release, 31 are for the Oracle Database. All but 3 of these database vulnerabilities
are related to features implemented using Java in the Database, and a number of
these vulnerabilities have received a CVSS Base Score of 9.0.
This CVSS 9.0 Base Score reflects instances where the user
running the database has administrative privileges (as is typical with pre-12
Database versions on Windows). When the
database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5
to denote that a successful compromise would be limited to the database and not
extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these
vulnerabilities for most recent versions of the database on Windows and all versions
on Unix and Linux, Oracle recommends that these patches be applied as soon as
possible because a wide compromise of the database is possible.
The Java Virtual Machine (Java VM) was added to the database
with the release of Oracle 8i in early 1999. The inclusion of Java VM in the database kernel allows Java stored
procedures to be executed by the database. In other words, by running Java in the database server, Java
applications can benefit from direct access to relational data. Not all customers implement Java stored
procedures; however support for Java stored procedures is required for the
proper operation of the Oracle Database as certain features are implemented
using Java. Due to the nature of the
fixes required, Oracle development was not able to produce a normal RAC-rolling
fix for these issues. To help protect
customers until they can apply the Oracle JavaVM component Database PSU, which
requires downtime, Oracle produced a script that introduces new controls to prevent
new Java classes from being deployed or new calls from being made to existing
Java classes, while preserving the ability of the database to execute the existing
Java stored procedures that customers may rely on.
As a mitigation measure, Oracle did consider revoking all
Public Grant to Java Classes, but such approach is not feasible with a static
script. Due to the dynamic nature of
Java, it is not possible to identify all the classes that may be needed by an
individual customer. Oracle’s script is
designed to provide effective mitigation against malicious exploitation of Java
in the database to customers who are not deploying new Java code or creating
Java code dynamically.
Customers who regularly develop in Java in the Oracle
Database can take advantage of a new feature introduced in Oracle 12.1. By running their workloads with Privilege
Analysis enabled, these customers can determine which Java classes are actually
needed and remove unnecessary Grants.
18 of the 154 fixes released today are for Oracle Fusion
Middleware. Half of these fixes are
pass-through fixes to address vulnerabilities in third-party components
included in Oracle Fusion Middleware distributions. The most severe CVSS Base Score reported for
these Oracle Fusion Middleware vulnerabilities is 7.5.
Critical Patch Update also provides fixes for 25 new Java SE
vulnerabilities. The highest reported
CVSS Base Score for these Java SE vulnerabilities is 10.0. This score affects one Java SE
vulnerability. Out of these 25 Java
vulnerabilities, 20 affect client-only deployments of Java SE (and 2 of these
vulnerabilities are browser-specific). 4
vulnerabilities affect client and server deployments of Java SE. One vulnerability affects client and server
deployments of JSSE.
Rounding up this Critical Patch Update release are 15 fixes
for Oracle and Sun Systems Product Suite, and 24 fixes for Oracle MySQL.
Note that on September 26th 2014, Oracle released
Alert CVE-2014-7169 to deal with a number of publicly-disclosed
vulnerabilities affecting GNU Bash, a popular open source command line shell
incorporated into Linux and other widely used operating systems. Customers should check out this Security
Alert and apply relevant security fixes for the affected systems as its
publication so close to the publication of the October 2014 Critical Patch
Update did not allow for inclusion on these Security Alert fixes in the
Critical Patch Update release.
For More Information:
The October 2014 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
Security Alert CVE-2014-7169 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html. Furthermore, a list of Oracle products using
GNU Bash is located at http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html.
The Oracle Software Security Assurance web site is located