Oracle Patches 87 Security Flaws in Critical Update

Oracle released on July 17 a sizeable security update fixing 87 vulnerabilities spanning a number of products, including 24 for the Oracle Sun product suite.

The most critical of the vulnerabilities impacts the Oracle JRockit Java Virtual Machine (CVE-2012-3135), and has a base score of 10.0€”the highest possible rating. From an exploitation standpoint, a 10.0 score is a “perfect storm,” explained Rapid7 Security Researcher Marcus Carey, because it can be accessed remotely, has low complexity and can result in a complete compromise of the vulnerable software.

Besides the two-dozen bugs tied to the Sun product suite, the update includes 22 security fixes for Oracle Fusion Middleware; a security fix for Oracle Hyperion; nine for Oracle PeopleSoft products; seven for Oracle Siebel CRM; one for Oracle Industry Applications; six for MySQL; four for the Oracle E-Business suite; one for Oracle Enterprise Manager Grid Control; five for the Oracle Supply Chain product suite; four for the Oracle Database Server; a fix for Oracle Application Express Listener and two for Oracle Secure Backup Apache Component.

Vulnerabilities CVE-2012-1740, which impacts Oracle Application Express Listener, and CVE-2012-3192, which affects the Oracle Secure Backup Apache component, are rated 7.8€”the second-highest rating of this month’s update. Both vulnerabilities can be exploited remotely without authentication, Oracle noted.

“Enterprises should be able to understand the cadence and predictability of Oracle’s CPU Advisories so that they can build countermeasures into their security programs to tackle network-based vulnerabilities,” Carey told eWEEK, adding that “these types of high-impact network-based vulnerabilities exist whether they are known or not.”

“Some common-sense network security concepts such as network access control list can mitigate the risk of Internet-based attacks,” Carey said. “Organizations should also use these types of controls internally to prevent exploitation from internal assets, which at times could be under the control of attackers. In order to do this, organizations need to understand how each product communicates on the network by protocol and ports to create the relevant network-based security controls. Simply put, network access to sensitive assets such as the Oracle products, should be on a €˜need-to-access€™ type basis.€

Along those lines, Sophos Senior Security Advisor Chester Wisniewski noted that many of the bugs fixed in the update are quite old, and Oracle does not mention whether the flaws were disclosed responsibly or not. For that reason, it is prudent to treat all the patches as high risk, he blogged.