Connect with us

Hi, what are you looking for?


Data Protection

Oracle Adds MySQL, Issues 78 Total Fixes in January Critical Patch Update

On Tuesday, Oracle delivered its first Critical Patch Update (CPU) of 2012, which included a total of 78 fixes across a wide range of Oracle products. The update also marked the first time the MySQL database software has been part of Oracle’s CPU process.


On Tuesday, Oracle delivered its first Critical Patch Update (CPU) of 2012, which included a total of 78 fixes across a wide range of Oracle products. The update also marked the first time the MySQL database software has been part of Oracle’s CPU process.


In Oracle’s January 2012 Critical Patch Update, 27 new security fixes were issued for MySQL, with one of the vulnerabilities capable of being remotely exploitable without authentication. Interestingly, Oracle’s Database server only contained two security fixes, something that irks database security experts.

While 78 fixes may seem like a fair number of fixes, database security experts still think Oracle is not putting the resources into patching vulnerabilities that it should, and that Oracle’s patching process is still somewhat broken.

“While introducing MySQL into the patch process is a good thing, it emphasizes again scalability problems,” said Amichai Shulman, CTO at Imperva. “With the introduction of a new product, especially when it shows 27 fixes in this CPU, you’d expect the number of overall patches in the CPU to increase. This has not happened.”

Application Security, Inc. told SecurityWeek that its research arm, TeamSHATTER, had discovered and notified Oracle about multiple vulnerabilities that are supposedly in the queue to be fixed, but none had been fixed this time around. The bugs, the researchers say, are not inconsequential either. “The prevailing thought from our researchers is that several of those submitted are high risk and should have been fixed,” said Alex Rothacker, Director of Security Research at Application Security, Inc.

“There is a bottleneck in the Oracle patching process,” said Shulman. Could there be obstacles in the security and testing process? Shulman thinks so. He voiced his concern over the fact that just two vulnerabilities were fixed in Oracle’s core database product. “Either the database server has reached an amazing maturity in terms of security or Oracle did not have enough resources to include more fixes into the process,” he said. “This may be a consequence of adding the new MySQL product in the patching process. However, another factor may be that these fixes are much more critical and complex than their CVSS score suggests.”

“They should fix this bottleneck, especially as they introduce new products and acquisitions continue,” Shulman added. “We assume the bottleneck exists due to the relative low number of vulnerabilities while the patch increases in terms of products covered. As in many organizations, it’s safe to assume that Oracle has a security team separate from the engineering team that deals with the vulnerabilities and so the bottleneck most likely resides there and should be removed.”

Advertisement. Scroll to continue reading.

“Oracle released a patch for CVE-2012-0094 Solaris TCP/IP Denial of Service bug, a network vulnerability, which had the highest base score of 7.8. CVE-2012-0100 is a Solaris vulnerability related to Kerberos and it has the second highest base score of 6.8,” said Security Researcher, Marcus Carey of Rapid7. “It’s a local vulnerability, but has the greatest ramifications of all the vulnerabilities. Since it is a local vulnerability, it is rated slightly behind CVE-2012-0094.”

While CVE-2012-0094 may have had the highest base score according to Oracle, Carey thinks that another vulnerability is more threatening. “CVE-2012-0083, which affects Oracle WebCenter Content, is the most dangerous network-based vulnerability, because it could allow an attacker to compromise confidentiality and integrity of systems,” Carey said.

Also of note, Carey added, is that Oracle patched CVE-2011-5035, a vulnerability that relates to the GlassFish Enterprise Server denial of service vulnerability that was disclosed at the Chaos Communication Congress in Germany in December.

A summary of the fixes in Oracle’s January 2012 CPU are as follows:

* 2 for Oracle Database Server

* 1 for Oracle Fusion Middleware

* 3 for Oracle E-Business Suite

* 1 for Oracle Supply Chain Products Suite

* 6 for Oracle PeopleSoft Products

* 8 for Oracle JD Edwards Products

* 17 for Oracle Sun Products Suite

* 3 for Oracle Virtualization

* 27 for Oracle MySQL

Earlier this month Oracle released an update to its Oracle Database Firewall, the database giant’s solution to improve enterprise database security and help enterprises prevent internal and external attacks from reaching their databases. The latest edition of Oracle Database Firewall introduced support for MySQL, adding to previous support for Oracle Database 11g and earlier releases, IBM DB2 Linux Unix Windows, Microsoft SQL Server, Sybase Adaptive Server Enterprise (ASE) and Sybase SQL Anywhere.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.