October 2009 Critical Patch Update Released
By Eric P. Maurice-Oracle on Oct 20, 2009
Today's Critical Patch Update (CPU) provides 38 new security fixes across a number of product groups including: Oracle Database Server, Oracle Application Server, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle JD Edwards Tools, Oracle WebLogic and Oracle JRockit (formerly from BEA), and Oracle Communications Order and Service Management. Of these 38 vulnerabilities, 19 are remotely exploitable without authentication.
Oracle Database Server receives 16 new fixes, 6 of which are for vulnerabilities that are remotely exploitable without authentication. Three of these vulnerabilities have received a CVSS Base Score of 10.0. These scores reflect the relative severity of the vulnerabilities as they can result in a full compromise of the targeted system down to the operating system (OS). The CVSS guide available on the FIRST web site provides a detailed explanation on how Base Scores are computed. Note however, that these scores are only applicable for the Windows platform. On other platforms, the score for these vulnerabilities is limited to 7.5 because a successful exploitation of these vulnerabilities will not result in a compromise down to the OS layer. Furthermore, note that these vulnerabilities affect various versions (18.104.22.168; 10.1.0.5; 10.2.0.4; and 22.214.171.124), however the most recent versions of Oracle Database Server (126.96.36.199 and 188.8.131.52) are not subject to these vulnerabilities. This is because of the order in which fixes are produced by Oracle (i.e., the main code line is fixed first, for more information see Oracle's policy for fixing security vulnerabilities).
Due to the severity of the new Database Server vulnerabilities, Oracle recommends that this Critical Patch Update be applied against the affected systems as soon as possible. However, until the application of the CPU, common network access control products, such as reverse proxies and firewalls, which are routinely deployed around sensitive systems, can greatly reduce the risks posed by these vulnerabilities. These network security tools can help prevent attempts to exploit these vulnerabilities remotely, and effectively hide the vulnerable systems from malicious Internet users. As a matter of good security practice, a database server should not be exposed to the Internet, and connections to databases should be limited to securely configured application servers and trusted staff.
Oracle WebLogic and JRockit receive 6 new security fixes. One of the fixes has a reported CVSS Base Score of 10.0. It affects Oracle JRockit, and this fix is in fact designed to address multiple vulnerabilities affecting the Sun Java Runtime Environment. These vulnerabilities were disclosed by Sun Microsystems in August 2009, and the CPU Advisory provides the complete list of Sun advisories addressed in JRockit.
For more information:
o The Security Technology Center on OTN is located at http://www.oracle.com/technology/deploy/security/index.html
o The October 2009 CPU advisory is located at http://www.oracle.com/technology/deploy/security/alerts.htm
o Information to subscribe to Oracle security e-mail notifications is located on http://www.oracle.com/technology/deploy/security/securityemail.html
o Note 360870.1 (My Oracle Support subscription required) explains the impact of Java security vulnerabilities on Oracle products.
o Note 394487.1 (My Oracle Support subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation.