Oracle released its quarterly Critical Patch Update (CPU) on Tuesday, issuing 89 security updates that touch nearly all of its product groups, many of them addressing security flaws that can be exploited remotely by an attacker.
“Oracle’s flagship product, the Oracle database, gets six updates this month, with four being remotely exploitable,” Wolfgang Kandek, CTO at Qualys noted in a blog post.
Ross Barrett, senior manager of security engineering at Rapid7, considers the July CPU relatively quiet. “Relative is of course subjective to Oracle, since this gigantic pile of unrelated code fixes includes 89 distinct CVEs and touches 20+ distinct products,” Barrett told SecurityWeek.
“The highest risk issue is scored with a CVSS of 9 because it’s remotely exploitable without authentication,” Barrett warned. “This vulnerability in the XML Parser in Oracle’s Database Server is part of a mixed bag of other vulnerabilities ranging from mild to serious.”
“Oracle Fusion middleware is seeing a lot of attention this quarter with 21 fixes, but nothing super critical,” Barrett said. “Solaris is hit with two remote DoS attacks, plus a couple of local elevation of privilege issues.”
“Of the 21 [Fusion middleware] vulnerabilities, 16 are accessible remotely with a maximum CVSS score of 7.5,” Kandek noted. “A perimeter scan is helpful, or even a quick query to Shodan, which shows over 500,000 machines with Oracle’s HTTP out on the Internet.”
“With such a diverse range of products in this quarter’s patch, it’s hard to tackle these from top to bottom with recommendations,” Barrett explained. “I recommend patching any vulnerable Oracle Database Server instances ASAP and don’t neglect the stability or integrity of the Solaris deployment.”
“The constant drumbeat of critical Oracle patches is more than a little alarming particularly because the vulnerabilities are frequently reported by 3rd parties who presumably do not have access to full source code,” Craig Young, a security researcher at Tripwire, told SecurityWeek. “This month’s CPU credits 18 different researchers coming from more than a dozen different companies.”
“It’s also noteworthy that there every Oracle CPU release this year has plugged dozens of vulnerabilities,” Young added. By my count, Oracle has already acknowledged and fixed 343 security issues in 2013. In case there was any doubt, this should be a big red flag to end users that Oracle’s security practices are simply not working.”
“Dealing with the large sizes of the Oracle CPUs – often with over a hundred of patches – will be easier if a good map of the currently installed software exists,” Kandek advised. “In any case, we recommend addressing vulnerabilities on systems that are Internet accessible first, i.e. Fusion Middleware, Solaris Operating System, and MySQL.”
As usual, due to the threat posed by a successful attack, Oracle “strongly recommends” that customers apply the available patches as soon as possible.
The full Critical Patch Update Advisory from Oracle is available here.