Connect with us

Hi, what are you looking for?



Oracle Issues 89 Security Fixes in July 2013 Critical Patch Update

Oracle released its quarterly Critical Patch Update (CPU) on Tuesday, issuing 89 security updates that touch nearly all of its product groups, many of them addressing security flaws that can be exploited remotely by an attacker. 

Oracle released its quarterly Critical Patch Update (CPU) on Tuesday, issuing 89 security updates that touch nearly all of its product groups, many of them addressing security flaws that can be exploited remotely by an attacker. 

“Oracle’s flagship product, the Oracle database, gets six updates this month, with four being remotely exploitable,” Wolfgang Kandek, CTO at Qualys noted in a blog post. 

Ross Barrett, senior manager of security engineering at Rapid7, considers the July CPU relatively quiet. “Relative is of course subjective to Oracle, since this gigantic pile of unrelated code fixes includes 89 distinct CVEs and touches 20+ distinct products,” Barrett told SecurityWeek.

Oracle Logo“The highest risk issue is scored with a CVSS of 9 because it’s remotely exploitable without authentication,” Barrett warned. “This vulnerability in the XML Parser in Oracle’s Database Server is part of a mixed bag of other vulnerabilities ranging from mild to serious.”

“Oracle Fusion middleware is seeing a lot of attention this quarter with 21 fixes, but nothing super critical,” Barrett said. “Solaris is hit with two remote DoS attacks, plus a couple of local elevation of privilege issues.”

“Of the 21 [Fusion middleware] vulnerabilities, 16 are accessible remotely with a maximum CVSS score of 7.5,” Kandek noted. “A perimeter scan is helpful, or even a quick query to Shodan, which shows over 500,000 machines with Oracle’s HTTP out on the Internet.”

“With such a diverse range of products in this quarter’s patch, it’s hard to tackle these from top to bottom with recommendations,” Barrett explained. “I recommend patching any vulnerable Oracle Database Server instances ASAP and don’t neglect the stability or integrity of the Solaris deployment.”

“The constant drumbeat of critical Oracle patches is more than a little alarming particularly because the vulnerabilities are frequently reported by 3rd parties who presumably do not have access to full source code,” Craig Young, a security researcher at Tripwire, told SecurityWeek. “This month’s CPU credits 18 different researchers coming from more than a dozen different companies.”

Advertisement. Scroll to continue reading.

“It’s also noteworthy that there every Oracle CPU release this year has plugged dozens of vulnerabilities,” Young added. By my count, Oracle has already acknowledged and fixed 343 security issues in 2013. In case there was any doubt, this should be a big red flag to end users that Oracle’s security practices are simply not working.”

“Dealing with the large sizes of the Oracle CPUs – often with over a hundred of patches – will be easier if a good map of the currently installed software exists,” Kandek advised. “In any case, we recommend addressing vulnerabilities on systems that are Internet accessible first, i.e. Fusion Middleware, Solaris Operating System, and MySQL.”

As usual, due to the threat posed by a successful attack, Oracle “strongly recommends” that customers apply the available patches as soon as possible.

The full Critical Patch Update Advisory from Oracle is available here

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.