Security Experts:

Oracle Fixes 86 Security Flaws in Massive Critical Patch Update

Oracle addressed 86 flaws across 10 product groups in its quarterly Critical Patch Update. Some of the high-risk vulnerabilities, if exploited, would allow attackers to take over an underlying Windows server.

Affected products include Oracle Database, Database Mobile/Lite, VirtualBox, Solaris, Fusion Middleware, MySQL, and pieces of the ERP and CRM suite, Oracle said in its security advisory released Jan. 15. When considering the total number of vulnerabilities, this quarterly update is on par with previous CPUs.

Even so, "like every Oracle CPU, these issues represent a huge amount of work and real challenges for security and IT teams to respond to," Ross Barrett, senior manager of security engineering at Rapid7, told SecurityWeek.

Oracle Critical Patch Update January 2013 LogoThe CPU has only update for Oracle Database (RDBMS), addressing a vulnerability in the Spatial Oracle component (CVE-2012-3220) which could be exploited to allow an authenticated user with table creation privileges to gain control of the underlying Windows operating system. While the flaw has a Common Vulnerability Scoring System (CVSS) rating of 9.0, this score applies only for Windows systems running Oracle Database, the company wrote in its "risk matrix." For Linux, Unix, and other platforms, the CVSS rating drops to 6.5.

This issue is not remotely exploitable without authentication, Oracle said. Attackers would likely target this vulnerability in conjunction with a privilege escalation flaw in order to gain access to the database and the operating system, Barrett said. However, many administrators may not need to worry about this bulletin because many Oracle RDBMS installations would not have the Spatial Oracle option installed, said Wolfgang Kandek, CTO of Qualys.

In fact, Kandek recommended administrators start with exposed services first, which in this case would mean the 18 vulnerabilities in MySQL. Two high-priority bugs could be remotely exploited without authentication and had a CVSS base score 9.0. They indicated a "high level of severity and prompting for a quick turn-around," Kandek said.

The high-risk flaws would also allow unauthenticated users to elevate privileges from the database to take control of the Windows system.

Oracle also patched five security flaws in Oracle Database Mobile/Lite Server, formerly known as Oracle Database Lite for 10g. Mobile/Lite Server is commonly used in embedded systems and mobile devices, including Android and Blackberry applications. All five bugs may be remotely exploitable without authentication.

"These issues will probably remain unpatched in some places for a long time due to the challenges of updating mobile systems," Barrett said. The average user who has an mobile device with an application using Oracle Database Mobile/Lite installed will be "at the mercy of third-party vendors and ISPs who may or may not feel it is cost-effective to roll out an update," Barrett said.

Two of the Mobile Server vulnerabilities have a CVSS base score of 10.0 and the remaining three have base score of 7.8. "That's as bad as it gets," said Lamar Bailey, director of security research and development at nCircle.

The complete list of products being patched is as follows: Oracle Database Mobile Server, Oracle Database Lite Server, Oracle Access Manager/Webgate, Oracle GoldenGate Veridata, Management Pack for Oracle GoldenGate, Oracle Outside In Technology, Oracle WebLogic Server, Application Performance Management, Enterprise Manager Grid Control, Enterprise Manager Plugin for Database 12c, Oracle E-Business Suite, Oracle Agile PLM Framework, Oracle PeopleSoft HRMS, Oracle PeopleSoft PeopleTools, Oracle JD Edwards EnterpriseOne Tools, Oracle Siebel CRM, Oracle Sun Product Suite, Oracle VM VirtualBox, and Oracle MySQL Server.

None of the issues in Solaris would be considered particularly scary, since they all require multiple levels of authentication and high complexity to exploit, Barrett said.

It's been a tough few days for IT administrators, with scheduled and emergency updates from Microsoft, Oracle, and Adobe all in the past seven days. Earlier this month, Google and Mozilla updated their Web browsers to revoke a certificate authority's credentials.

"We’re just two weeks into 2013 and already we’ve seen a surge of critical vulnerabilities and emergency patches," Bailey said.

Microsoft fixed 12 flaws across seven bulletins as part of its scheduled Patch Tuesday release, and then followed up six days later with an emergency patch addressing a serious zero-day flaw in older versions of Internet Explorer.

Oracle just released an out-of-band patch for Java over the weekend to close two serious remote-code-execution vulnerabilities in Java 7. Exploit code targeting one of the bugs had already been added to popular crimeware kits and were actively being used in attacks. Java's next scheduled update is also coming up on Feb. 19.

Adobe was exceptionally busy this month, with scheduled updates to Adobe Reader, Acrobat, and Flash, and an emergency hotfix for ColdFusion on Tuesday. Attackers were already exploiting Cold Fusion vulnerabilities in the wild, the company said.

The maintainers for Ruby on Rails Web framework also released updates fixing critical vulnerabilities this month.

"No matter how far behind IT teams are, they can’t afford to ignore this massive Oracle patch," Bailey said.

Full details from Oracle on the Critical Patch Update are available here.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.