By Eric P. Maurice-Oracle on Oct 15, 2013
Hello, this is Eric Maurice.
Oracle today released the October 2013 Critical Patch Update. As previously announced, this Critical Patch Update is the first one to integrate Java SE. In other words, moving forward planned security fixes for Oracle products, including Java SE, will released on the same schedule. As a result, the average number of fixes delivered through each future Critical Patch Update is, at least for the foreseeable future, likely to be greater than in previous Critical Patch Updates. As an additional reminder, Oracle publishes the release dates of future Critical patch Updates a year in advance. The release dates for the next 4 Critical Patch Update releases are located on the Security Alerts and Critical Patch Updates page at http://www.oracle.com/technetwork/topics/security/alerts-086861.html.
Today’s Critical Patch Update provides 127 new security fixes across a wide variety of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle iLearning, Oracle industry Applications, Oracle FLEXCUBE, Oracle Primavera, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.
Out of these 127 new fixes, 2 are specifically for Oracle Database. The maximum CVSS Base Score for the database vulnerabilities is 5.5. One of these database vulnerabilities has already been fixed in all supported version and platform combinations. The other vulnerability is remotely exploitable without authentication. Fixing this second vulnerability requires that customers configure network encryption between their clients and servers if data is sent over untrusted networks. Note that Oracle recently updated its licensing agreement so that network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database. Finally note that 2 Oracle Fusion Middleware fixes are applicable to database deployments and as such are listed in the Database Risk Matrix of the Critical Patch Update advisory.
Out of these 127 fixes, 51 are for Java SE. 50 of the Java SE vulnerabilities fixed in this Critical patch Update are remotely exploitable without authentication. The maximum CVSS Base Score for these Java SE vulnerabilities is 10.0, which denotes a complete takeover of the targeted system (down to the operating system) in instances where Java executes with administrative privileges (i.e. system privileges). Out of these 51 Java vulnerabilities, only 8 are applicable to client and server deployments of Java. 40 apply to client deployment of Java, including one which is only exploitable during Java client deployment. One of the vulnerabilities applies to the JHat developer tool. The last 2 vulnerabilities apply to sites that run the Javadoc tool as a service. For more information about these Java vulnerabilities, see the security matrix for Java SE located on the Critical Patch Update Advisory.
As a reminder, desktop users can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version of Java. Java SE security fixes delivered through the Critical Patch Update program are cumulative. In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes. Oracle strongly recommends that Java users, particularly home users, keep up with Java releases so as to protect themselves against malicious exploitation of Java vulnerabilities.
This Critical Patch Update release also provides 17 security fixes for Oracle Fusion Middleware, 12 of which are for vulnerabilities which are remotely exploitable without authentication. The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5.
4 new security fixes are for Oracle Enterprise Manager Grid Control. All of these Enterprise Manager Grid Control vulnerabilities are remotely exploitable without authentication, and the maximum CVSS Base Score for these vulnerabilities is 4.3.
This Critical Patch Update release also provides 22 new security fixes for Oracle applications as follows: 1 for Oracle E-Business Suite, 2 for Oracle Supply Chain Products Suite, 8 for PeopleSoft Enterprise, 9 for Siebel CRM, and 2 for iLearning. It furthermore provides 6 new security fixes for Oracle Industry Applications and 1 for Oracle Financial Services Software.
Finally, this Critical Patch Update delivers 12 new security fixes for the Oracle and Sun Systems Products Suite. 5 of these vulnerabilities are remotely exploitable without authentication. The maximum CVSS Base Score for these vulnerabilities is 6.9.
As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible. To a large extent, maintaining a proper security posture requires that organizations keep up to date with Oracle’s security patches and supported releases so as to take advantage of Oracle’s ongoing security assurance effort.
For More Information:
The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
The Advisory for the October 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html.
Desktop users can make sure they run the most recent version of Java by visiting http://java.com/en/download/installed.jsp.