Qualys Blog

www.qualys.com
wkandek

Oracle CPU October 2014

In the third patch release of the day, after Adobe and Microsoft, Oracle publishes code fixes for 154 distinct vulnerabilities across a large number of product families. Many of the vulnerabilities addressed are of critical nature, allowing the attacker to achieve remote code execution. Due to the large number of patches a precise inventory will be crucial to be able to decide where to patch first.

Here is our internal ranking, using our best estimates on installed base and exploitability:

  1. Java SE – 25 vulnerabilities addressed in Java 6,7 and 8 – the newest version. At least 9 of the vulnerabilities are critical with a CVSS score of 7 and allowing the attacker access to the targeted machine. All but one low scoring vulnerability apply only to client side installations of Java, rather than Java running on a server. If you use Java on the desktop on version 6, 7 or 8 take a look at these updates.
  2. MySQL database server- 24 vulnerabilities addressed, three of the vulnerabilities above CVSS 7, allowing the attacker access to data. We often see MySQL database servers accessible through the Internet, so if you are running such a configuration an update is recommended.
  3. Oracle RDBMS has 31 vulnerabilities addressed with six vulnerabilities with a CVSS score of 9. All of them require CREATE SESSION privilege, meaning the attackers need authentication credentials. Oracle RDBMS servers are usually not directly connected through the Internet, so an attacker would have to have gained a foothold into the network through another vulnerability before being able to try any of the exploits available.
  4. Oracle Fusion Middleware has 18 fixes for vulnerabilities with 14 accessible without authentication. This product group contains Oracle web and application servers and should receive a high priority treatment if you use them on machines connected to the Internet. Here Oracle addresses CVE-2014-0114 a vulnerability in Struts.
  5. Sun Solaris – 15 vulnerabilities addressed.

These are not all of the product groups affected, if you run Peoplesoft, or JD Edwards applications there are patches for you as well. Take a good look at the release it is large and has patches for most any Oracle customer. A good application inventory or comprehensive scan will help you determine your most urgent patchable weaknesses.

Leave a Reply