Oracle Critical Patch Update April 2012

Oracle releases its Critical Patch Updates (CPUs) on a quarterly schedule and today made public its April edition with patches for many of its product lines. Oracle patches are usually so massive (88 this quarter) and contain fixes for so many products (over 35 this quarter) that a good software inventory system becomes absolutely crucial to see where to act first and where to apply several patches in concert.

• Oracle Solaris: eight vulnerabilities in Solaris itself, including the remote CVE-2012-1694 with the highest CVSS score for Solaris of 6.4 in the advisory, plus two issues in the Glassfish application server and one in the iPlanet webserver.
• MySQL Server: a total of six vulnerabilities in all versions, but no Remote Code Execution vulnerabilities. Highest CVSS score: 6.8
• Oracle Database Server: both version 10 and 11 are affected by three remote code execution vulnerabilities, all of them in the core RDBMS server (CVE-2012-0519/10/34). Highest CVSS score is 7.1.
• Oracle Peoplesoft has a total of 15 vulnerabilities
• Oracle Middleware: 12 vulnerabilities, including a patch for the JRockit, which addresses the hash-overflow DOS vulnerability that was disclosed around last Christmas at the CCC Congress in Germany.

A large update for Oracle software users, but with a good map to the installed software, one can find the best way to update those software packages. We recommend addressing vulnerabilities on systems that are Internet accessible first. Most likely this will mean fixing Glassfish/iPlanet and Solaris vulnerabilities first, followed by MySQL. Oracle RDBMS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all.

BTW, both Oracle Enterprise Linux and Oracle Java are not covered in this quarterly CPU process and receive updates on their own distinct schedules.