January 2010 Critical Patch Update Released
By Eric P. Maurice on Jan 12, 2010
Hi, this is Eric Maurice. Oracle today released the January 2010 Critical Patch Update (CPUJan2010).
Today's Critical Patch Update (CPU) provides 24 new security fixes across the following product families: Oracle Database Server, Oracle Secure Backup, Oracle Application Server, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Primavera, Oracle WebLogic Server and JRockit. 13 of the 24 new vulnerabilities are remotely exploitable without authentication. This means that an attacker could attempt to exploit these vulnerabilities, should the targeted systems be exposed on the network (as opposed to being hidden behind a firewall for example) remotely without requiring a username or password.
9 of the 24 new vulnerabilities are for Oracle Database Server. Only one of these vulnerabilities is remotely exploitable without authentication. The CVSS Base Score for this remotely exploitable without authentication vulnerability is 10.0 for Windows, and 7.5 for Linux, Unix, and other platforms. The CVSS Base Score of 10.0 for the Windows platform denotes that a successful exploitation of this vulnerability can result in a full compromise of the targeted system down to the Operating System level. However, for Linux, Unix, and other platforms, a compromise down to the Operating System is not possible. For these platforms, a successful exploitation of the vulnerability will result in a compromise limited to the database server layer. Obviously, due to the criticality of this vulnerability, Oracle recommends that customers apply the Critical Patch Update as soon as possible. In addition, Oracle recommends that proper network access controls be implemented around sensitive resources (such as database servers), and that access to these systems be restricted as much as possible. As stated on a number of previous occasions, common network access control products, such as reverse proxies and firewalls, can greatly reduce the risks posed by remotely exploitable without authentication vulnerabilities by effectively hiding the vulnerable systems from malicious Internet users.
Another CVSS 10.0 vulnerability reported with this Critical Patch Update is for Oracle Secure Backup. Note that the last affected patch set for this vulnerability is Oracle Secure Backup 10.2.0.3. This vulnerability has therefore been addressed in Oracle Secure Backup 10.3.0.1 (and in the 10.2.0.5 patch set). Oracle recommends that customers of previous versions of Secure Backup upgrade to 10.3.0.1.
The last CVSS 10.0 vulnerability addressed with this Critical Patch Update is for JRockit. Sun MicroSystems released a Security Alert in November 2009 to address multiple vulnerabilities affecting the Sun Java Runtime Environment (JRE). The vulnerability reported in this Critical Patch Update refers to the Sun advisories that were applicable to JRockit. Note that the CVSS Base Score listed on the CPU Advisory is the highest CVSS Base Score computed by the National Vulnerability Database (NVD) for the vulnerabilities that were previously disclosed by Sun. In addition, the CPU Advisory lists the CVEs for the relevant SUN JRE vulnerabilities.
For more information:
* The Security Technology Center on OTN is located at http://www.oracle.com/technology/deploy/security/index.html
* The January 2010 CPU advisory is located at http://www.oracle.com/technology/deploy/security/alerts.htm
* Information to subscribe to Oracle security e-mail notifications is located on http://www.oracle.com/technology/deploy/security/securityemail.html
* Note 360870.1 (My Oracle Support subscription required) explains the impact of Java security vulnerabilities on Oracle products.
* Note 394487.1 (My Oracle Support subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation.