Oracle patched 78 vulnerabilities in its flagship database software, Fusion Middleware, e-Business Suite, Supply Chain, PeopleSoft, JDEdwards and Sun products.
released 78 security fixes across its database and other products in its
portfolio as part of its Critical Patch Update.
Critical Patch Update contains two fixes for the Oracle Database Server, 11 for
Oracle Fusion Middleware, three in Oracle e-Business Suite, one in Oracle
Supply Chain, six in Oracle PeopleSoft, eight in Oracle JDEdwards, 17 in Oracle
Sun products, three in Oracle Virtualization and 27 in Oracle MySQL, the
company said in its CPU
advisory released Jan. 17
. Of the 78 fixes, only 16 were considered
critical, or could be remotely exploited without needing a username and
to the threat posed by a successful attack, Oracle strongly recommends that
customers apply CPU fixes as soon as possible," the company said in the
advisory. If IT managers delay updating their systems with the CPU, it may be
possible to "reduce the risk" by blocking network protocols required
by the attack or removing privileges to certain packages. However, this move
may also "break application functionality," Oracle said.
vulnerability in the Core RDBMS (CVE-2012-0082) is "probably more
severe" than Oracle made it sound in the advisory, Alex Rothacker, director
of security research at Application Security's TeamSHATTER, told eWEEK
flaw, which affects Oracle Database versions 10.1.05 to 220.127.116.11, provides a
remote code execution opportunity, but requires a valid account on the
database, according to the advisory. However, Oracle hinted at a
"significant non-security component" to the patch and directed users
to a separate support document "to determine the urgency and best
plan of action for applying the fix," the company said.
fixed two vulnerabilities in the Solaris operating system, a denial-of-service
bug and a Kerberos issue. They had the two highest CVSS scores in the entire
fixed the issue in the Oracle OpenSSO component of the Oracle Sun products
suite discovered and reported by Travis Emmert, a security researcher at
Veracode. The flaw, which can be found in versions 7.1 and 8.0, would allow
attackers to run "unauthenticated network attacks via HTTPS,"
according to Veracode. If a user clicked on a specially crafted link in a
phishing email, the attacker would be able to execute actions within the
context of the logged-in user's session, Chris Wysopal, CTO of Veracode, told eWEEK
flaw in Oracle WebCenter Content is the "most dangerous network-based
vulnerability" fixed in this CPU because it could allow attackers to
compromise the confidentiality and integrity of systems, Marcus Carey, security
researcher at Rapid7, told eWEEK
also patched the denial-of-service vulnerability in GlassFish Enterprise Server
that was disclosed at the Chaos Communication Congress in Germany at the end of
should consider patching systems that are Internet accessible first, such as
the issues in Weblogic, Apache and Solaris, according to Wolfgang Kandek, CTO
of Qualys. Oracle RDBMS can "probably be addressed last" as databases
tend to be installed on an internal network or behind a firewall if they are
connected to the Internet, according to Kandek.
next Critical Patch Update release will be on April 17.