Tuesday Feb 19, 2013

Updated February 2013 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle today released the updated February 2013 Critical Patch Update for Java SE.  As discussed in a previous blog entry, the purpose of this update is to deliver 5 additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th.  Note that since Critical Patch Updates for Java SE are cumulative, this Critical Patch Update release also includes all previously-released Java SE security fixes.  

All but one of the vulnerabilities fixed today apply to client deployment of Java.  This means that these 4 vulnerabilities can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers.  Three of these vulnerabilities received a CVSS Base Score of 10.0.  As I stated before, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running the malicious Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System. 

The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE).  This fix is for a vulnerability commonly referred as the “Lucky Thirteen” vulnerability in SSL/TLS (CVE-2013-0169).  This vulnerability has received a CVSS Base Score of 4.3.

Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible.  IT professionals should refer to the advisory located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html and desktop users can install this new version from java.com or through the Java autoupdate.

Finally, note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.   As a result, we will be issuing a Critical Patch Update for Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products.  The next scheduled release dates for the Critical Patch Update for Java SE are therefore: April 16, 2013; June 18, 2013; October 15, 2013; and January 14, 2014. 

  

For More Information:

The Advisory for the updated February 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Friday Feb 08, 2013

Updates to February 2013 Critical Patch Update for Java SE

Hello, this is Eric Maurice.

On February 1st 2013, Oracle released the February 2013 Critical Patch Update for Java SE.  In the blog entry discussing this Critical Patch Update release, I stated that this Critical Patch Update was originally scheduled to be released on February 19th, and that Oracle decided to accelerate the release of this Critical Patch Update because of the exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers. 

As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE.  Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date. 

This updated February 2013 Critical Patch Update will be published on February 19th and will include the fixes that couldn’t be released on February 1st.  A new Critical Patch Update Advisory will also be published on February 19th on http://www.oracle.com/technetwork/topics/security/alerts-086861.html to include information about the additional fixes being released. 

Note that Critical Patch Updates for Java SE are cumulative.  As a result, organizations that may not have applied the February 1st release will be able to apply the updated Critical Patch Update when it is published, and will then gain the benefit of all previously released Java SE fixes.  As usual, desktop users will be able to install this new version from java.com or through the Java autoupdate.

 

For More Information:

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html   

Friday Feb 01, 2013

February 2013 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice again.

Oracle just released the February 2013 Critical Patch Update for Java SE.  The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update. 

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities.  44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).  In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.  In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops).  Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java;   that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components.  In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source. 

Finally, 2 of the vulnerabilities fixed in this Critical Patch Update only apply to server deployment of the Java Secure Socket Extension (JSSE). 

The maximum CVSS Base Score for the vulnerabilities fixed in this Critical Patch Update is 10.0.   This score affects 26 vulnerabilities: 23 of which are client-side vulnerabilities, and 3 applicable to client and server deployments.   

This Critical Patch Update is consistent with previous Java security releases, in that most of the vulnerabilities addressed in this Critical Patch Update only affect Java and Java FX client deployments.  This reflects the fact that the Java server environment is more secure than the Java Runtime Environment in browsers because servers operate in a more secure and controlled environment. 

 The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers.  Note however that, as stated in a previous blog entry, Oracle reports the most severe CVSS Base Score. 

Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to “high” by default.  The "high" security setting requires users to expressly authorize the execution of unsigned applets allowing a browser user to deny execution of a suspicious applet (where in the past a suspicious applet could execute "silently").  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  In addition, Oracle has recently introduced the ability for users to easily disable Java in their browsers through the Java Control Panel on Windows.

As stated at the beginning of this blog, Oracle decided to release this Critical Patch Update earlier than planned.  After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue.  Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers.  The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.

For more information:

The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about setting the security level in the Java client is available at http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

Tuesday Jan 15, 2013

January 2013 Critical Patch Update Released

Hi, this is Eric Maurice.

Today, Oracle released the January 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 86 vulnerabilities across a number of product families including the Oracle Database, Oracle Database Mobile Server, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, Oracle Siebel CRM, Oracle Sun Products Suite, Oracle Virtualization, and Oracle MySQL.  As a reminder, fixes for Java SE continue to be released on a separate schedule due to contractual commitments previously made with customers (the next Critical Patch Update for Java SE will be released on February 19, 2013); accordingly, this Critical Patch Update does not contain fixes for Java SE and it is not related to the recently released Security Alert CVE-2013-0422 intended for Java SE.

Of the 86 fixes, 1 is specific to Oracle Database Server; this vulnerability, which affects the Spatial component of the Database, has a CVSS Base Score of 9.0, and it is not remotely exploitable without authentication.  5 of the vulnerabilities are for the Oracle Database Mobile Server, typically used for connecting embedded devices and mobile applications to the Oracle Database.  The maximum CVSS Base Score for the 5 Oracle Database Mobile Server vulnerabilities is 10.0, and these vulnerabilities are all remotely exploitable without authentication.  Note also that 10 Enterprise Manager Grid Control fixes are applicable for Database deployments. 

This Critical Patch Update includes fixes for 7 security vulnerabilities in Oracle Fusion Middleware, 5 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 5.0. 

13 fixes are for Oracle Enterprise Manager Grid Control, 12 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Enterprise Manager vulnerabilities is 5.0.  As stated earlier, 10 of these Enterprise Manager Grid Control fixes are applicable for Database deployments.

This Critical Patch Update provides the following applications security fixes: 9 for E-Business Suite, 1 for Supply Chain Product Suite, 12 for PeopleSoft Enterprise, 1 for JDEdwards EntepriseOne, 10 for Siebel CRM.  As indicated in the Critical Patch Update Advisory, most Oracle applications deployments include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections for the Advisory, and these need to be patched as well.

Finally, this Critical Patch Update provides 8 fixes for Oracle Sun products Suite (the highest CVSS Base Score for these vulnerabilities is 6.6), 1 is for Oracle Virtualization (with a CVSS Base Score of 2.4), and 18 are for Oracle MySQL.  The highest CVSS Base Score for the MySQL vulnerabilities is 9.0 on Windows platforms, and 6.5 on other platforms (e.g. Linux). 

Oracle continues to recommend that, even though other mitigation measures may be available, Critical Patch Updates be applied as soon as possible in order for organizations to retain their security in depth posture. 

For More Information:

The advisory for the January 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

More information about Oracle Software Security Assurance, including Oracle’s vulnerability fixing and disclosure policies is available at http://www.oracle.com/us/support/assurance/index.html. 

 

 

Sunday Jan 13, 2013

Security Alert for CVE-2013-0422 Released

Hi, this is Eric Maurice again.

Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers.  These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java.  The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174.  These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0.  Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools.

The exploit conditions for these vulnerabilities are the same.  To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website.  The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system.  These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets. 

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default.  The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.

Tuesday Oct 16, 2012

October 2012 Critical Patch Update and Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle has just released the October 2012 Critical Patch Update and the October 2012 Critical Patch Update for Java SE

As a reminder, the release of security patches for Java SE continues to be on a different schedule than for other Oracle products due to commitments made to customers prior to the Oracle acquisition of Sun Microsystems.  We do however expect to ultimately bring Java SE in line with the regular Critical Patch Update schedule, thus increasing the frequency of scheduled security releases for Java SE to 4 times a year (as opposed to the current 3 yearly releases).  The schedules for the “normal” Critical Patch Update and the Critical Patch Update for Java SE are posted online on the Critical Patch Updates and Security Alerts page.

The October 2012 Critical Patch Update provides a total of 109 new security fixes across a number of product families including: Oracle Database Server, Oracle Fusion Middleware, Oracle E-Business Suite, Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Customer Relationship Management (CRM), Oracle Industry Applications, Oracle FLEXCUBE, Oracle Sun products suite, Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 109 new vulnerabilities, 5 affect Oracle Database Server.  The most severe of these Database vulnerabilities has received a CVSS Base Score of 10.0 on Windows platforms and 7.5 on Linux and Unix platforms.  This vulnerability (CVE-2012-3137) is related to the “Cryptographic flaws in Oracle Database authentication protocol” disclosed at the Ekoparty Conference.  Because of timing considerations (proximity to the release date of the October 2012 Critical Patch Update) and the need to extensively test the fixes for this vulnerability to ensure compatibility across the products stack, the fixes for this vulnerability were not released through a Security Alert, but instead mitigation instructions were provided prior to the release of the fixes in this Critical Patch Update in My Oracle Support Note 1492721.1.  Because of the severity of these vulnerabilities, Oracle recommends that this Critical Patch Update be installed as soon as possible.

Another 26 vulnerabilities fixed in this Critical Patch Update affect Oracle Fusion Middleware.  The most severe of these Fusion Middleware vulnerabilities has received a CVSS Base Score of 10.0; it affects Oracle JRockit and is related to Java vulnerabilities fixed in the Critical Patch Update for Java SE. 
The Oracle Sun products suite gets 18 new security fixes with this Critical Patch Update.  Note also that Oracle MySQL has received 14 new security fixes; the most severe of these MySQL vulnerabilities has received a CVSS Base Score of 9.0.

Today’s Critical Patch Update for Java SE provides 30 new security fixes.  The most severe CVSS Base Score for these Java SE vulnerabilities is 10.0 and this score affects 10 vulnerabilities.  As usual, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running a Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System. 

Also, as is typical in the Critical Patch Update for Java SE, most of the vulnerabilities affect Java and Java FX client deployments only.  Only 2 of the Java SE vulnerabilities fixed in this Critical Patch Update affect client and server deployments of Java SE, and only one affects server deployments of JSSE.  This reflects the fact that Java running on servers operate in a more secure and controlled environment.  As discussed during a number of sessions at JavaOne, Oracle is considering security enhancements for Java in desktop and browser environments. 

Finally, note that the Critical Patch Update for Java SE is cumulative, in other words it includes all previously released security fixes, including the fix provided through Security Alert CVE-2012-4681, which was released on August 30, 2012.

For More Information:

 

Thursday Aug 30, 2012

Security Alert for CVE-2012-4681 Released

Hi, this is Eric Maurice again!

Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers.  These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547.  These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software.

Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0.  This score assumes that the affected users have administrative privileges, as is typical in Windows XP.  Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments, but Oracle has issued a security-in-depth fix for this issue as it can be used in conjunction with other vulnerabilities to significantly increase the overall impact of a successful exploit.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system.  Note that this malware may in some instances be detected by current antivirus signatures upon its installation. 

Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible.  Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.   

For more information:

 

Friday Aug 10, 2012

Security Alert CVE-2012-3132 Released

Hi, this is Eric Maurice.

Oracle today released Security Alert CVE-2012-3132 to address a vulnerability affecting the Oracle Database Server, which was publicly disclosed at BlackHat 2012.  With a CVSS Base Score of 6.5, this vulnerability involves the ‘INDEXTYPE CTXSYS.CONTEXT’, and if successfully exploited, can allow a malicious attacker to gain ‘SYS’ privileges.  This vulnerability does not affect 11gR2 databases which have applied the July 2012 Critical Patch Update.  Note that this vulnerability is not remotely exploitable without authentication, in other words, the attacker needs to a have credentials and specific privileges, including the ‘Create Table’ privilege, in order to create the exploit conditions.  Oracle recommends that organizations apply this Security Alert as soon as possible because the technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet.

As much as possible, it is important that organizations use the most current product versions available to them.  As stated in each Critical Patch Update and Security Alert Advisory, Oracle does not generally test for the presence of the vulnerabilities fixed through the Critical Patch Update and Security Alert programs in releases of affected product lines that are no longer supported.  However, it is likely that these vulnerabilities exist in previously released, but no longer supported releases of the affected products.  In a previous blog entry, I discussed Oracle’s security fixing policies, and recommended that customers remain on current releases in order to take advantage of Oracle’s ongoing security assurance effort.  This Security Alert, along with all recently released Critical Patch Updates, is an example of the importance of keeping up with newer and actively supported releases.  Customers on unsupported versions, unless they have purchased Extended Support under the Lifetime Support Policy, will not receive a permanent fix for the release they are running. 

It is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security efforts, such as ongoing hardening and auditing. 

For more information:

The Security Alerts and Critical Patch Updates page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

The Advisory for Security Alert CVE-2012-3132 is located at www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/index.html

The blog entry “Take Advantage of Oracle's Ongoing Assurance Effort!” is located at https://blogs.oracle.com/security/entry/take_advantage_of_oracles_ongo

The blog entry “Keeping Up With Newer Releases is Good Security Practice” is located at https://blogs.oracle.com/security/entry/keeping_up_with_newer_releases

 

 

Friday Jul 20, 2012

Use of the Common Vulnerability Reporting Format (CVRF) for Oracle’s Security Advisories

Hi, this is Reshma Banerjee. I am a member of the Security Alerts group within the Global Product Security Team at Oracle. My primary responsibilities include working with security researchers on the vulnerabilities they report to Oracle and engaging with the various engineering organizations at Oracle to ensure timely delivery of security fixes in the Critical Patch Updates and Security Alerts.

As announced in a previous blog entry, starting with the July 2012 Critical Patch Update, Oracle will be producing the security advisory in an XML format that conforms to Common Vulnerability Reporting Format (CVRF version 1.1). Of course, Oracle will also continue to produce its Security Alert and Critical Patch Update advisories using the existing format (As a reminder, all Security Alert and Critical Patch Update Advisories are published at http://www.oracle.com/technetwork/topics/security/alerts-086861.html).

The Common Vulnerability Reporting Framework is an XML-based standard that enables sharing of vulnerability information in a machine-readable format. Originally derived from the Internet Engineering Task Force (IETF) draft Incident Object Description Exchange Format (IODEF), this format was then developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI is a non-profit forum which enables industry collaboration for the development of security solutions and practices to address global security challenges. Oracle is a member of ICASI.

CVRF is a good example of a useful work-product that can come up from such a pragmatic forum of security-dedicated organizations. It provides an XML format that may be used by any vendor to publish relevant information pertaining to vulnerabilities. This includes among other useful information CVE# to identify vulnerability, CVSS score to rate the relative severity of a vulnerability, affected products and versions, mitigation instructions. We believe that CVRF will help customers with diverse IT environments be more efficient in assessing and processing security vulnerability advisories from different IT vendors. Having been personally involved with CVRF since the summer of 2009, I believe CVRF provides two key benefits:

(1) It provides a consistent way to depict security information thus simplifying the interpretation of the advisories, and

(2) It provides a machine-readable format for the interpretation of security advisories, thus allowing automation (and integration of the advisories in, for example, vulnerability scanning tools).

In absence of common security advisory format, IT industry vendors publish their security advisories and bulletins using their own proprietary format. Most organizations have to contend with heterogeneous IT infrastructure and therefore need to deal with multiple vendors. Consequently, security-conscious organizations need to deal with interpreting security advisories from multiple vendors. While security advisories from the various different IT vendors may include similar information, the differences in format and terminology cause, at best, customers to waste a lot of time interpreting security advisories, and at worst, these differences create confusion and errors as a result of the different terminology being used. To a large extent, this problem is similar to the problem that existed prior to the wide adoption of the Common Vulnerability and Exposures number (CVE #) with the identification of individual vulnerabilities.

As IT vendors adopt CVRF, and use it in their security advisories and bulletins, it will become much easier for customers to interpret relevant security information. In addition, customers will be able to more easily write their own automation tools to get the pertinent information from the various advisories without having to cope with multiple formats. Customers will also be able to write tools to automate the action to be taken if they find information in the advisories that affects them. Oracle plans to continue contributing to the CVRF working group and providing CVRF advisories with future Critical Patch Updates and Security Alerts.

For more Information:

ICASI’s web site is located at http://www.icasi.org/

More information on CVRF 1.1 is located at http://www.icasi.org/cvrf-1.1

Tuesday Jul 17, 2012

July 2012 Critical Patch Update Released

Hi, this is Eric Maurice again.

Oracle has just released the July 2012 Critical Patch Update.  This Critical Patch Update delivers a total of 87 new fixes across a number of product families including: Oracle Database, Oracle Application Express, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle Applications, and the Oracle Sun product suites.

For the first time, in addition to the usual advisories, Oracle is producing the Critical Patch Update advisory in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1.  CVRF is an XML language intended for the sharing of security-related information in a machine-readable fashion.  This format has been designed by the Industry Consortium for Advancement of Security on the Internet (ICASI), of which Oracle is a member.  In a future blog post, we will discuss CVRF in more detail, particularly to highlight its benefit as a means to enable the sharing of vulnerability-related information in a way that can be interpreted by a wide range of systems.

Out of these 87 new security fixes, 4 are for the Oracle Database.  The highest CVSS Base Score for these database vulnerabilities is 5.0.  3 of these 4 vulnerabilities are remotely exploitable without authentication; however 2 of these vulnerabilities affect the Database on the Windows platform only. 

In addition, this Critical Patch Update includes 1 fix for the Oracle Application Express Listener, 2 new fixes for Oracle Secure Backup, and 1 new fix for Oracle Enterprise Manager. 

With this Critical Patch Update, Oracle Fusion Middleware receives 22 new fixes.  The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0, but this score affects a series of Java Runtime Environment issues in JRockit.  These Java SE fixes were previously released in the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update also includes a new security fix for Oracle Hyperion.

This Critical Patch Update provides the following applications security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 9 for Oracle PeopleSoft Enterprise, 7 for Oracle Siebel CRM, and 1 for Oracle Life Sciences.

 Finally, the Oracle Sun product suites receive 24 new security fixes, and MySQL gets 6 new security fixes.   The highest CVSS Base Score for the Sun product suites vulnerabilities is 7.8. 

As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible.  This is particularly important as our experience has shown that potentially malicious hackers comb through vendors’ advisories and often attempt to reverse-engineer the fixes contained in them to develop new exploits. 

Customers seeking recommendations for applying the Critical Patch Update should refer to the “Recommendations for leveraging the Critical Patch Update and maintaining a proper security posture” white paper available on Oracle’s web site.  In addition, customers are encouraged to take advantage of the broad range of resources, tools, and best practices available on My Oracle Support.

For more information:

·         The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/index.html

·         The July 2012 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

·         Information about Oracle Support resources, tools, and best practices are available at http://www.oracle.com/us/support/best-practices/overview/index.html

 

 

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
  • Oracle
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today