By Eric P. Maurice on Jan 15, 2013
Hi, this is Eric Maurice.
Today, Oracle released the January 2013 Critical Patch Update. This Critical Patch Update provides fixes for 86 vulnerabilities across a number of product families including the Oracle Database, Oracle Database Mobile Server, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, Oracle Siebel CRM, Oracle Sun Products Suite, Oracle Virtualization, and Oracle MySQL. As a reminder, fixes for Java SE continue to be released on a separate schedule due to contractual commitments previously made with customers (the next Critical Patch Update for Java SE will be released on February 19, 2013); accordingly, this Critical Patch Update does not contain fixes for Java SE and it is not related to the recently released Security Alert CVE-2013-0422 intended for Java SE.
Of the 86 fixes, 1 is specific to Oracle Database Server; this vulnerability, which affects the Spatial component of the Database, has a CVSS Base Score of 9.0, and it is not remotely exploitable without authentication. 5 of the vulnerabilities are for the Oracle Database Mobile Server, typically used for connecting embedded devices and mobile applications to the Oracle Database. The maximum CVSS Base Score for the 5 Oracle Database Mobile Server vulnerabilities is 10.0, and these vulnerabilities are all remotely exploitable without authentication. Note also that 10 Enterprise Manager Grid Control fixes are applicable for Database deployments.
This Critical Patch Update includes fixes for 7 security vulnerabilities in Oracle Fusion Middleware, 5 of which are remotely exploitable without authentication. The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 5.0.
13 fixes are for Oracle Enterprise Manager Grid Control, 12 of which are remotely exploitable without authentication. The maximum CVSS Base Score for these Enterprise Manager vulnerabilities is 5.0. As stated earlier, 10 of these Enterprise Manager Grid Control fixes are applicable for Database deployments.
This Critical Patch Update provides the following applications security fixes: 9 for E-Business Suite, 1 for Supply Chain Product Suite, 12 for PeopleSoft Enterprise, 1 for JDEdwards EntepriseOne, 10 for Siebel CRM. As indicated in the Critical Patch Update Advisory, most Oracle applications deployments include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections for the Advisory, and these need to be patched as well.
Finally, this Critical Patch Update provides 8 fixes for Oracle Sun products Suite (the highest CVSS Base Score for these vulnerabilities is 6.6), 1 is for Oracle Virtualization (with a CVSS Base Score of 2.4), and 18 are for Oracle MySQL. The highest CVSS Base Score for the MySQL vulnerabilities is 9.0 on Windows platforms, and 6.5 on other platforms (e.g. Linux).
Oracle continues to recommend that, even though other mitigation measures may be available, Critical Patch Updates be applied as soon as possible in order for organizations to retain their security in depth posture.
For More Information:
The advisory for the January 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
More information about Oracle Software Security Assurance, including Oracle’s vulnerability fixing and disclosure policies is available at http://www.oracle.com/us/support/assurance/index.html.