April 2014 Critical Patch Update Released
By Eric P. Maurice-Oracle on Apr 15, 2014
Hello, this is Eric Maurice again.
Oracle today released the April 2014 Critical Patch Update. This Critical Patch Update provides fixes for 104 vulnerabilities across a number of product lines including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL. A number of the vulnerabilities fixed in this Critical Patch Update have high CVSS Base Score and are being highlighted in this blog entry. Oracle recommends this Critical Patch Update be applied as soon as possible.
Out of the 104 vulnerabilities fixed in the April 2014 Critical Patch Update, 2 were for the Oracle Database. The most severe of these database vulnerabilities received a CVSS Base Score of 8.5 for the Windows platform to denote a full compromise of the targeted system, although a successful exploitation of this bug requires authentication by the malicious attacker. On other platforms (e.g., Linux, Solaris), the CVSS Base Score is 6.0, because a successful compromise would be limited to the Database and not extend to the underlying Operating System. Note that Oracle reports this kind of vulnerabilities with the ‘Partial+’ value for Confidentiality, Integrity, and Availability impact (Partial+ is used when the exploit affects a wide range of resources, e.g. all database tables). Oracle makes a strict application of the CVSS 2.0 standard, and as a result, the Partial+ does not result in an inflated CVSS Base Score (CVSS only provides for ‘None,’ ‘Partial,’ or ‘Complete’ to report the impact of a bug). This custom value is intended to call customers’ attention to the potential impact of the specific vulnerability and enable them to potentially manually increase this severity rating. For more information about Oracle’s use of CVSS, see http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html.
This Critical Patch Update also provides fixes for 20 Fusion Middleware vulnerabilities. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5. This score affects one remotely exploitable without authentication vulnerability in Oracle WebLogic Server (CVE-2014-2470). If successfully exploited, this vulnerability can result in a wide compromise of the targeted WebLogic Server (Partial+ rating for Confidentiality, Integrity, and Availability. See previous discussion about the meaning of the ‘Partial+’ value reported by Oracle).
Also included in this Critical Patch Update were fixes for 37 Java SE vulnerabilities. 4 of these Java SE vulnerabilities received a CVSS Base Score of 10.0. 29 of these 37 vulnerabilities affected client-only deployments, while 6 affected client and server deployments of Java SE. Rounding up this count were one vulnerability affecting the Javadoc tool and one affecting unpack200. As a reminder, desktop users, including home users, can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version of Java. Java SE security fixes delivered through the Critical Patch Update program are cumulative. In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes. Oracle strongly recommends that Java users, particularly home users, keep up with Java releases and remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities.
This Critical Patch Update also included fixes for 5 vulnerabilities affecting Oracle Linux and Virtualization products suite. The most severe of these vulnerabilities received a CVSS Base Score of 9.3, and this vulnerability (CVE-2013-6462) affects certain versions of Oracle Global Secure Desktop.
Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update, Oracle strongly recommends that customers apply this Critical Patch Update as soon as possible. In addition, as previously discussed, Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update. However, it is often the case that earlier versions of affected releases are affected by vulnerabilities fixed in recent Critical Patch Updates. As a result, it is highly desirable that organizations running unsupported versions, for which security fixes are no longer available under Oracle Premier Support, update their systems to a currently-supported release so as to fully benefit from Oracle’s ongoing security assurance effort.
For more information:
The April 2014 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
More information about Oracle’s application of the CVSS scoring system is located at http://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html
An Ovum white paper “Avoiding security risks with regular patching and support services” is located at http://www.oracle.com/us/corporate/analystreports/ovum-avoiding-security-risks-1949314.pdf
More information about Oracle Software Security Assurance, including details about Oracle’s secure development and ongoing security assurance practices is located at http://www.oracle.com/us/support/assurance/overview/index.html
The details of the Common Vulnerability Scoring System (CVSS) are located at http://www.first.org/cvss/cvss-guide.html.
Java desktop users can verify that they are running the most version of Java and remove older versions of Java by visiting http://java.com/en/download/installed.jsp.