Oracle released today its quarterly Critical Patch Update (CPU) and Security Alerts which includes 78 vulnerability fixes across hundreds of products. Oracle’s acquisition of companies like PeopleSoft and Sun, in addition to its own diverse product portfolio has made the CPUs large and dense.
Our top priority goes to patching vulnerabilities that attackers can remotely exploit without authentication and where the affected systems could be exposed to the outside world. For Sun users this includes nine vulnerabilities that affect Solaris (CVE-2011-2287, CVE-2011-2245, CVE-2011-2294, CVE-2011-2298) SPARC (CVE-2011-2288, CVE-2011-2299, CVE-2011-2307) and Oracle GlassFish Server(CVE-2011-1511, CVE-2011-2260). Protocols that attackers could use for exploitation include SSH, HTTP, SSL and KSSL.
Our second priority goes to patching vulnerabilities that are remotely exploitable but the affected products, typically may not be exposed to the outside due to network segregation or firewalls. Oracle Database server, Grid Control, Enterprise manager and PeopleSoft patches fall in this category. Protocols that attackers could use for exploitation include Oracle NET and HTTP. While some of the products may have a legitimate business reason to be exposed outside of the corporate network, we strongly advise organizations to access their network infrastructures and prioritize patches based on their exposure.
The CPUs are becoming huge. But due to the diversity of affected products, our guess is that many larger organizations could have specialized teams working on different products in order to make the Oracle quarterly CPU a bit more manageable.
-Guest post from Amol Sarwate, Vulnerability Labs Manager for Qualys