Oracle CPU July 2013

Oracle released today its Critical Patch Update (CPU) for July 2013. The CPU is Oracle’s quarterly mechanism to publish updates for all of its supported products, with the exception of Java. Java is on a different update cycle of every four months, but it will be migrated to the same schedule beginning in October of 2013.

This month’s CPU contains 89 updates touching most of Oracle’s product groups. A large percentage (>40%) of the vulnerabilities addressed allow for remote unauthenticated access for the attacker and should be priority, particularly on applications that are exposed to the Internet.

Here is our breakdown of the update:

• Oracle’s flagship product, the Oracle database, gets six updates this month, with four being remotely exploitable. The XML parser vulnerability, which is remotely accessible but requires authentication, has the highest CVSS score of the entire CPU, 9.0 (on a scale of 10) indicating high criticality. One mitigating factor is that Oracle databases are typically not exposed the Internet.
• Oracle’s MySQL database has 18 vulnerabilities addressed, including two that are remotely accessible and have a CVSS score of 6.8. MySQL is often found exposed to the Internet, even though this is not considered best practice. If you use MySQL in your organization, it makes sense to run a perimeter scan to collect information on all databases externally exposed.
• The Oracle Sun product line has 16 updates, with eight being remotely accessible. The highest CVSS score is 7.8. If you have Sun Solaris servers in your organization, review these patches and start with the machines on your perimeter and DMZ.
• Oracle’s Fusion Middleware has a total of 21 vulnerabilities and includes many components that are typically found on the Internet, such as the Oracle HTTP server. Of the 21 vulnerabilities, 16 are accessible remotely with a maximum CVSS score of 7.5. Again, a perimeter scan is helpful, or even a quick query to Shodan, which shows over 500,000 machines with Oracle’s HTTP out on the Internet.
• Fusion also contains the Outside-In product that is used in Microsoft Exchange for document viewing. Outside-In has, in the past year, caused two updates in Microsoft’s email product to address the vulnerabilities in MS12-058 and MS12-080. Recent research by Will Domann at CERT/CC shows that Outside-In has the potential for more vulnerabilities. He recommends turning off the WebReady feature, which means that users have to download the documents to the local disk for viewing. If that cannot be done, he advises updating to the latest version of Windows Server and Exchange for maximum robustness from the underlying platform to prevent exploitation.
• Further product areas with Security updates include Peoplesoft, E-Business and Virtualization.

Dealing with the large sizes of the Oracle CPUs – often with over a hundred of patches – will be easier if a good map of the currently installed software exists. In any case, we recommend addressing vulnerabilities on systems that are Internet accessible first, i.e. Fusion Middleware, Solaris Operating System, and MySQL.