July 2009 Critical Patch Update Released
By Eric P. Maurice-Oracle on Jul 14, 2009
Hi, this is Eric Maurice again. Today, Oracle released the July 2009 Critical Patch Update (CPUJul2009).
This Critical Patch Update (CPU) includes 30 new fixes across hundreds of products, including some newly acquired product lines (including BEA).
This Critical Patch Update includes 10 additional fixes for Oracle Database Server. Three of these 10 vulnerabilities are remotely exploitable without authentication. None of these vulnerabilities affect client-only deployments.
Three of the Database Server vulnerabilities addresses in this CPU are particularly critical with CVSS Base Scores of 7.5 or over (“high severity” according to the NVD guidelines):
- Vulnerability CVE-2009-1020 receives a CVSS Base Score of 9.0 for Windows, and 6.5 for Unix, Linux, and other platforms. This means that a successful exploitation of the vulnerability can lead to a full compromise of the targeted server at the OS level only on Windows platforms. On other platforms, the scope of the exploitation will be limited to the database layer (i.e. only the database application will be compromised). This vulnerability affects Oracle Database Server 18.104.22.168, 22.214.171.124DV, 10.1.0.5, 10.2.0.4, and 126.96.36.199. —This vulnerability is not remotely exploitable without authentication: The attacker needs to be authenticated to the Database (or use a previously authenticated session) in order to carry on the attack.
- CVE-2009-1019 receives a CVSS Base Score of 7.5 denoting that a successful exploit of this vulnerability can lead to a full compromise of the targeted database. This vulnerability affects Oracle Database Server 188.8.131.52, 184.108.40.206DV, 10.1.0.5, 10.2.0.4, and 220.127.116.11. It is remotely exploitable without authentication.
- Finally, CVE-2009-1963 also receives a CVSS Base Score of 7.5; however it is not remotely exploitable without authentication, and only affects Oracle Database Server 18.104.22.168.
Oracle recommends that this Critical Patch Update be applied against affected Database Server as soon as possible. However, customers should be aware of mitigation measures that may decrease the risks posed by these vulnerabilities in unpatched systems. For example, database servers protected from the Internet through the use of reverse proxy and firewalls, and whose connections are limited to connections to a securely configured application server, are less vulnerable to external attacks. In addition, proper auditing and monitoring can mitigate the risks associated with attempts to exploit these vulnerabilities from an inside source. The security guides and checklists available on the Security Technology Center on Oracle Technology Network provide a number of recommendations to securely deploy Oracle products. When properly implemented, many of these recommendations will greatly reduce the risks posed by vulnerabilities addressed in CPUs.
In addition to the 10 Oracle Database Server fixes, this CPU also provides:
two additional fixes for Oracle Secure Backup 10.2.0.3,
two additional fixes for various versions of Oracle Application Server,
five new fixes for various components of Oracle E-Business Suite,
two additional fixes for Oracle Enterprise Manager 10.2.0.4,
three additional fixes for various PeopleSoft components,
one additional fix for Siebel Enterprise, and
five additional fixes for the BEA products suite.
The Oracle Secure Backup vulnerabilities fixed in this CPU have respective CVSS Base Scores of 10.0 (CVE-2009-1977) and 9.0 (CVE-2009-1978). The last patchset affected by these vulnerabilities is Oracle Secure Backup 10.2.0.3. Oracle strongly recommends that all previous versions of Oracle Secure Backup be upgraded to version 10.2.0.3 and that the fixes be applied, or that customers apply a newer version (10.3.0.1.0). Of course, customers already running Oracle Secure Backup 10.3.0.1.0 or who are not running Oracle Secure Backup should not be concerned about the vulnerabilities associated with older releases.
Note that vulnerability CVE-2009-1094 listed in the BEA Risk Matrix section of the CPU advisory, and affecting the JRockit component, received a CVSS Base Score of 10.0. This fix was in fact released to address a number of vulnerabilities previously reported by Sun MicroSystems in a Security Alert released in March 2009. These multiple vulnerabilities affect the Sun Java Runtime Environment. Oracle CVE-2009-1094 refers to all the Sun advisories that were applicable to JRockit. The CVSS score of 10.0 reported by Oracle in today’s CPU advisory is the highest score (received from NVD) of all the advisories fixed in JRockit. Note that the CPU advisory provides the complete list of all the Sun advisories affecting JRockit.
For more information:
The Security Technology Center on OTN is located at http://www.oracle.com/technology/deploy/security/index.html
The July 2009 CPU advisory is located at http://www.oracle.com/technology/deploy/security/alerts.htm
Information to subscribe to Oracle security e-mail notifications is located on http://www.oracle.com/technology/deploy/security/securityemail.html
MetaLink Note 360870.1 (subscription required) explains the impact of Java security vulnerabilities on Oracle products.
MetaLink Note 394487.1 (subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation.