Tuesday Jan 15, 2013

January 2013 Critical Patch Update Released

Hi, this is Eric Maurice.

Today, Oracle released the January 2013 Critical Patch Update.  This Critical Patch Update provides fixes for 86 vulnerabilities across a number of product families including the Oracle Database, Oracle Database Mobile Server, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, Oracle Siebel CRM, Oracle Sun Products Suite, Oracle Virtualization, and Oracle MySQL.  As a reminder, fixes for Java SE continue to be released on a separate schedule due to contractual commitments previously made with customers (the next Critical Patch Update for Java SE will be released on February 19, 2013); accordingly, this Critical Patch Update does not contain fixes for Java SE and it is not related to the recently released Security Alert CVE-2013-0422 intended for Java SE.

Of the 86 fixes, 1 is specific to Oracle Database Server; this vulnerability, which affects the Spatial component of the Database, has a CVSS Base Score of 9.0, and it is not remotely exploitable without authentication.  5 of the vulnerabilities are for the Oracle Database Mobile Server, typically used for connecting embedded devices and mobile applications to the Oracle Database.  The maximum CVSS Base Score for the 5 Oracle Database Mobile Server vulnerabilities is 10.0, and these vulnerabilities are all remotely exploitable without authentication.  Note also that 10 Enterprise Manager Grid Control fixes are applicable for Database deployments. 

This Critical Patch Update includes fixes for 7 security vulnerabilities in Oracle Fusion Middleware, 5 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 5.0. 

13 fixes are for Oracle Enterprise Manager Grid Control, 12 of which are remotely exploitable without authentication.  The maximum CVSS Base Score for these Enterprise Manager vulnerabilities is 5.0.  As stated earlier, 10 of these Enterprise Manager Grid Control fixes are applicable for Database deployments.

This Critical Patch Update provides the following applications security fixes: 9 for E-Business Suite, 1 for Supply Chain Product Suite, 12 for PeopleSoft Enterprise, 1 for JDEdwards EntepriseOne, 10 for Siebel CRM.  As indicated in the Critical Patch Update Advisory, most Oracle applications deployments include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections for the Advisory, and these need to be patched as well.

Finally, this Critical Patch Update provides 8 fixes for Oracle Sun products Suite (the highest CVSS Base Score for these vulnerabilities is 6.6), 1 is for Oracle Virtualization (with a CVSS Base Score of 2.4), and 18 are for Oracle MySQL.  The highest CVSS Base Score for the MySQL vulnerabilities is 9.0 on Windows platforms, and 6.5 on other platforms (e.g. Linux). 

Oracle continues to recommend that, even though other mitigation measures may be available, Critical Patch Updates be applied as soon as possible in order for organizations to retain their security in depth posture. 

For More Information:

The advisory for the January 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

More information about Oracle Software Security Assurance, including Oracle’s vulnerability fixing and disclosure policies is available at http://www.oracle.com/us/support/assurance/index.html. 

 

 

Sunday Jan 13, 2013

Security Alert for CVE-2013-0422 Released

Hi, this is Eric Maurice again.

Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers.  These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java.  The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174.  These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0.  Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools.

The exploit conditions for these vulnerabilities are the same.  To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website.  The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system.  These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets. 

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default.  The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« January 2013 »
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today