July 2012 Critical Patch Update Released
By Eric P. Maurice-Oracle on Jul 17, 2012
Hi, this is Eric Maurice again.
Oracle has just released the July 2012 Critical Patch Update. This Critical Patch Update delivers a total of 87 new fixes across a number of product families including: Oracle Database, Oracle Application Express, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle Applications, and the Oracle Sun product suites.
For the first time, in addition to the usual advisories, Oracle is producing the Critical Patch Update advisory in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. CVRF is an XML language intended for the sharing of security-related information in a machine-readable fashion. This format has been designed by the Industry Consortium for Advancement of Security on the Internet (ICASI), of which Oracle is a member. In a future blog post, we will discuss CVRF in more detail, particularly to highlight its benefit as a means to enable the sharing of vulnerability-related information in a way that can be interpreted by a wide range of systems.
Out of these 87 new security fixes, 4 are for the Oracle Database. The highest CVSS Base Score for these database vulnerabilities is 5.0. 3 of these 4 vulnerabilities are remotely exploitable without authentication; however 2 of these vulnerabilities affect the Database on the Windows platform only.
In addition, this Critical Patch Update includes 1 fix for the Oracle Application Express Listener, 2 new fixes for Oracle Secure Backup, and 1 new fix for Oracle Enterprise Manager.
With this Critical Patch Update, Oracle Fusion Middleware receives 22 new fixes. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0, but this score affects a series of Java Runtime Environment issues in JRockit. These Java SE fixes were previously released in the June 2012 Critical Patch Update for Java SE. This Critical Patch Update also includes a new security fix for Oracle Hyperion.
This Critical Patch Update provides the following applications security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 9 for Oracle PeopleSoft Enterprise, 7 for Oracle Siebel CRM, and 1 for Oracle Life Sciences.
Finally, the Oracle Sun product suites receive 24 new security fixes, and MySQL gets 6 new security fixes. The highest CVSS Base Score for the Sun product suites vulnerabilities is 7.8.
As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible. This is particularly important as our experience has shown that potentially malicious hackers comb through vendors’ advisories and often attempt to reverse-engineer the fixes contained in them to develop new exploits.
Customers seeking recommendations for applying the Critical Patch Update should refer to the “Recommendations for leveraging the Critical Patch Update and maintaining a proper security posture” white paper available on Oracle’s web site. In addition, customers are encouraged to take advantage of the broad range of resources, tools, and best practices available on My Oracle Support.
For more information:
· The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/index.html
· The July 2012 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
· Information about Oracle Support resources, tools, and best practices are available at http://www.oracle.com/us/support/best-practices/overview/index.html