January 2012 Critical Patch Update Released
By Eric P. Maurice on Jan 17, 2012
Hi, this is Eric Maurice again.
Oracle just released the January 2012 Critical Patch Update. This Critical Patch Update provides fixes for 78 new security vulnerabilities affecting a wide range of Oracle products families including: Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Virtualization, Oracle Sun product suite, and Oracle MySQL. Note again that security fixes for Java SE continue to be released on a different schedule because of commitments made before the completion of the Sun acquisition.
Out of the 78 new fixes, 2 affect the Oracle Database. The maximum CVSS Base Score for the Database vulnerabilities fixed in this Critical Patch Update is 5.5, however Oracle considers these fixes to be important. In a previous blog entry, we discussed how CVSS Base Scores are computed, and we highlighted the fact that the CVSS Base Score scale is designed to rate the severity of vulnerabilities ranging up to complete exploitation of the affected system down to the Operating System layer (CVSS Base Score greater than 7.5).
One of the database vulnerabilities fixed in this Critical Patch Update has received a CVSS Base Score of 5.0. It is a relatively easy to exploit vulnerability, which can result in a shutdown of the database (without compromising confidentiality or integrity of the information contained in it). In other words, this vulnerability could allow an unauthenticated attacker to carry a denial of service attack against the targeted database, for example if it were to be exposed to the Internet.
Though not remotely exploitable without authentication, the other database fix provided in this Critical Patch Update is also important. This database bug, which was also reported to Oracle by InfoWorld, may have wider non-security related consequences for a small number of customers. Database customers are therefore strongly encouraged to apply this Critical Patch Update and consult My Oracle Support Note 1376995.1 for additional instructions.
11 of the 78 new fixes provided by this Critical Patch Update are for Oracle Fusion Middleware. The highest CVSS Base Score for these Oracle Fusion Middleware bugs is 6.4.
An additional 17 fixes affect the Oracle Sun product suite, including Solaris, Glassfish Enterprise Server, and OpenSSO. The highest CVSS Base Score for these Sun product suite vulnerabilities is 7.8.
3 new fixes affect Oracle virtualization. The maximum CVSS Base Score for these vulnerabilities is 3.7. This score is related to a vulnerability affecting Oracle VM VirtualBox.
Finally, Oracle MySQL receives 27 fixes. The maximum CVSS Base Score for these MySQL vulnerabilities is 5.5. One of these vulnerabilities is remotely exploitable without authentication. Note that this is the first time that MySQL fixes are being included in the Critical Patch Update.
Oracle continues to recommend that customers apply all security patches and keep up with newer releases as a means to continue to preserve their security posture. As highlighted in this Critical Patch Update, the decreasing number of fixes produced for the most mature product lines in recent Critical Patch Updates should not be construed as an indication that Critical Patch Updates are becoming less important to the security posture of Oracle customers. Furthermore, security research continues to show that unpatched systems remain an attractive target for malicious hackers. Fortunately, Oracle customers can leverage a number of tools, including My Oracle Support, to keep up with recommended security and non-security releases.
For More Information:
- The Advisory for the January 2012 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
- More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html
- My Oracle Support Note 1376995.1 is located at https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1376995.1 (My Oracle Support authentication required).