Feeds

Oracle releases July patch batch... with 27 fixes for remote exploits

EIGHTEEN third-party researchers reported vulns, says security bod

Providing a secure and efficient Helpdesk

Oracle has pushed out a quarterly patch batch of 89 updates that mean almost all of its enterprise software products need updating for one reason or another.

Craig Young, a security researcher at Tripwire, noted that most of the vulnerabilities were picked up by third-party researchers. “The constant drumbeat of critical Oracle patches is more than a little alarming particularly because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code," he said. "This month’s Critical Patch Update credits 18 different researchers coming from more than a dozen different companies."

Sysadmins and database administrators would be well to patch internet-accessible systems first, according to Wolfgang Kandek, CTO at cloud security firm Qualys. Updates to the Oracle Database; Fusion Middleware; the Oracle and Sun Systems Product Suite - including the Solaris OS; and MySQL ought to be patching priorities since vulnerable systems are easier to attack.

Oracle's Critical Patch Update (CPU) for July 2013 covers six bulletins for Oracle's flagship database software, one of which is remotely exploitable.

The XML parser vulnerability, which is remotely accessible but requires authentication, has the highest CVSS (Common Vulnerability Scoring System) severity score of all Tuesday's releases, hitting a peril factor of 9.0. Databases are typically firewalled from the internet, which ought to provide at least some protection.

A total of 18 vulnerabilities in Oracle’s MySQL database were lanced, including two that are remotely accessible. There are also 16 updates for Sun Solaris servers, eight of which cover flaws that might be targeted by hackers across the internet. "If you have Sun Solaris servers in your organisation, review these patches and start with the machines on your perimeter and DMZ (De-Militarised Zone)," Kandek advises.

Oracle’s Fusion Middleware gets patches to address a total of 21 vulnerabilities - a whopping 16 of which are remotely exploitable. The software includes many components that are typically found on the web, such as the Oracle HTTP server. A quick query on Shodan shows more than 500,000 machines with Oracle’s HTTP are accessible across the internet.

The software giant's patch batch also includes updates for Oracle's Peoplesoft, E-Business and Virtualization enterprise software products.

Young told The Register: "It’s also noteworthy that there every Oracle CPU release this year has plugged dozens of vulnerabilities. By my count, Oracle has already acknowledged and fixed 343 security issues in 2013," he added. Scheduled updates for Java are handled on a separate four-month release cycle, so don't appear in the July patch batch. Oracle is planning to align the two releases together starting with its next Critical Patch Update in October 2013.

Earlier this week Oracle published a study arguing IT security spending is misplaced, despite increased investment. Databases and applications - not networks - should be focus of information security programs, Oracle concludes.

Veteran IT analyst Clive Longbottom disagreed with Oracle's assessment and said that enterprises would do better to focus on protecting information. "It is the information that matters - [focusing on] network, app or database misses the point," he told El Reg. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.