July 2013 Critical Patch Update Released
By Eric P. Maurice on Jul 16, 2013
Hello, this is Eric Maurice.
Oracle just released the July 2013 Critical Patch Update. This Critical Patch Update provides 89 new security fixes across a wide range of product families: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle industry Applications, Oracle Supply Chain Products Suite, Oracle VM, Oracle MySQL, and Oracle and Sun Systems Products Suite.
As a reminder, security fixes for Java SE will continue to be released on a separate Critical Patch Update schedule until October this year. Starting with the October 2013 Critical Patch Update, Java SE security fixes will be released on the normal Critical Patch Update schedule, along with the security fixes for all other Oracle products, thus likely to increase the total number of security fixes released with each Critical Patch Update.
Out of the 89 new security fixes included with this Critical Patch Update, 6 are for Oracle Database. One of these database vulnerabilities is remotely exploitable without authentication. The highest CVSS Base Score for these database vulnerabilities is 9.0. This score is related to a vulnerability (CVE-2013-3751) which affects the XML Parser on Oracle Database 220.127.116.11 and 18.104.22.168.
21 of the fixes included in this Critical Patch Update are for Oracle Fusion Middleware. 16 of these vulnerabilities are remotely exploitable without authentication, and the highest CVSS Base Score for these vulnerabilities is 7.5. This score affects a JRockit vulnerability (CVE-2013-2461), which in fact is related to a series of Java vulnerabilities fixed with the June 2013 Critical Patch Update for Java SE and applicable to JRockit. With the inclusion of Java in the normal Critical Patch Update schedule starting in October 2013, the release of JRockit and Java security fixes will be integrated. Note also that with this Critical Patch Update and the previously-released Critical Patch Update, Oracle has been working on addressing a series of known Apache bugs in Oracle HTTP Server. Finally, note that a number of the Oracle Fusion Middleware vulnerabilities have already been fixed on all supported versions. The listing of these vulnerabilities in the Oracle Fusion Middleware risk matrix should provide an additional impetus for users of affected versions to update their systems to a more secure release.
The Oracle and Sun Systems Products Suite receive a total of 16 new security fixes. 8 of the vulnerabilities are remotely exploitable without authentication, and the maximum CVSS base Score for these vulnerabilities is 7.8.
Oracle MySQL receives 18 new security fixes. 2 of the MySQL vulnerabilities are remotely exploitable without authentication. The highest CVSS Base Score for these bugs is 6.8.
As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible. In addition, as previously discussed, Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update. However, it is often the case that earlier versions of affected releases are affected by vulnerabilities fixed in recent Critical Patch Updates. As a result, it is highly desirable that organizations running unsupported versions, for which security fixes are not available under Oracle Premier Support, to update their systems to a current release so as to fully benefit from Oracle’s ongoing security assurance effort (see for example Ovum’s Paper: Avoiding Security Risks with Regular Patching and Support).
For More Information:
The July 2013 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/overview/index.html.