October 2011 Critical Patch Updates Released
By Eric P. Maurice on Oct 18, 2011
Hello, this is Eric Maurice.
Oracle just released the October 2011 Critical Patch Update and the Critical Patch Update for Java SE. As explained in previous blogs, because of commitments made before the completion of the Sun acquisition, the security patches for Java SE are typically released on a different schedule than other Oracle products. However, today, the release date of the Critical Patch Update for Java SE coincided with the regular Critical Patch Update release schedule.
The October 2011 Critical Patch Update for Java SE provides fixes for 20 new security vulnerabilities. The highest CVSS Base Score for Java SE vulnerabilities fixed in this Critical Patch Update is 10.0, and it is applicable to 6 vulnerabilities. In addition, one of these 20 new fixes is for the “BEAST” exploit. “BEAST” (Browser Exploit Against SSL/TLS) can potentially provide a malicious hacker the ability to bypass SSL/TLS encryption and ultimately decrypt potentially sensitive web traffic. This exploit was recently demonstrated at a security conference. The vulnerability related to this exploit is CVE-2011-3389, and it has a CVSS Base Score of 4.3. Note also that beginning with this Critical Patch Update, security fixes for Oracle JRockit will no longer be released with the Oracle Fusion Middleware fixes but instead will be released along with Java SE fixes in the Critical Patch Update for Java SE. The primary benefit of this change is that Oracle JRockit will now receive Java-related fixes as soon as these fixes are released by Oracle (JRockit fixes were previously distributed with other Oracle Fusion Middleware fixes in the next Critical Patch Update that followed the Critical Patch Update for Java SE).
The October 2011 Critical Patch Update provides fixes for 57 new security vulnerabilities across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Linux and Virtualization, and Oracle Sun product suite. None of the 57 new fixes are applicable for client-only deployments.
Of the 57 new fixes, 5 are for Oracle Database Server. None of the Oracle Database Server vulnerabilities addressed in this Critical Patch Update are remotely exploitable without authentication. The most severe vulnerability affecting the Oracle Database Server products suite affects Oracle Application Express (APEX), and it has received a CVSS Base Score of 6.5. None of these fixes are applicable to client-only deployments.
As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base. Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced. This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years. In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code. In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments.
22 out of the 57 fixes provided with this Critical Patch Update are for the Oracle Sun product suite. The most severe of these vulnerabilities affect the LDAP Library in Sun Solaris (CVE-2011-3508) and has received a CVSS Base Score of 9.3. Oracle recommends that Solaris customers apply this Critical Patch Update as soon as possible.
Finally, please note that this Critical Patch Update lists a fix for Oracle Linux. Starting with this Critical Patch Update, security fixes in proprietary components of Oracle Linux will be listed in the Critical Patch Update advisory. However, the security fixes for the code generated by the Linux community, as well as those for proprietary Oracle components will continue to be released through the El-errata documentation, in the same fashion as before.
For more information:
- The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/index.html
- The advisories for today’s Critical Patch Updates are located on the Critical Patch Updates and Security Alerts page at http://www.oracle.com/technetwork/topics/security/alerts-086861.html