This week’s relentless onslaught of security patches continued late Tuesday afternoon when Oracle released its quarterly Critical Patch Update, a healthy dose of 86 security updates across all major product lines including Oracle Database and MySQL Server.
The most serious may be a critical privilege escalation vulnerability (CVE-2012-3220) in Oracle Database Server. An attacker who is authenticated and has the Create Table privilege can exploit this flaw to gain control of the underlying Windows systems.
“This type of vulnerability would likely be exploited in conjunction with another attack to elevate privileges from the database to the operating system,” said Ross Barrett, senior manager of security engineering at Rapid7. “Oracle Database is their flagship product and to say it is widely deployed is putting it mildly.”
Oracle has been under harsh criticism for much of the young year, primarily for a zero-day vulnerability in Java 1.7u10. Exploits for the previously undisclosed flaw were being hosted in a number of exploit kits and attacks have already been seen in the wild dropping ransomware and assorted other malware. Oracle did respond quickly with an out-of-band Java 1.7 u11 update that addressed the sandbox-bypass vulnerability, but security experts still recommend disable Java and warn there are ways to bypass the security enhancements in the latest Java update.
The quarterly Oracle CPU releases, such as Tuesday’s, do not include Java updates; the next scheduled Java security release is Feb. 19.
In addition to the Oracle Database Server patch, five more were included for Oracle Database Mobile/Lite Server. All five are remotely exploitable and without the need for authentication. The mobile server is used in embedded systems and smartphones, including Android and BlackBerry.
Rapid7’s Barrett cautions that these vulnerabilities could remain unpatched in some organizations for some time because of the difficulty in updating mobile systems.
“The average user of an application with Oracle Database Mobile/Lite is likely at the mercy of third party vendors and ISPs who may or may not feel it is cost effective to roll out an update,” he said.
Organizations that have deployed MySQL Server are looking at 18 new updates, two of them (CVE-2012-1702 and CVE-2012-0383) remotely exploitable without authentication, Oracle said. Two other privilege escalation vulnerabilities (CVE-2012-5611 and CVE-2012-5612) could enable an attacker to gain control over the underlying Windows system as well; both would require authentication.
Oracle also cautions against five remotely exploitable vulnerabilities in Oracle Fusion Middleware; this product includes Oracle Database components affected by vulnerabilities patched in this CPU as well. The severity of exposure, Oracle said, depends on the database version being used.
A baker’s dozen remotely exploitable vulnerabilities were patched in Oracle Enterprise Manager Grid Control. None of the patches apply to client-only installations. Here too, this product includes Oracle Database and Fusion Middleware components patched in this CPU.
Patches for a number of Oracle applications were released Tuesday, including nine for Oracle E-Business Suite (seven of which are remotely exploitable), 12 in Oracle PeopleSoft (seven remotely exploitable), 10 in Oracle Siebel CRM (five remotely exploitable), and one each in Oracle Supply Chain Products Suite and Oracle JD Edwards Products.
Oracle also released eight patches for its Sun Products Suite, seven of which are in the Solaris operating system. All require multiple levels of authentication and only one is remotely exploitable, a vulnerability in Sun Storage Array Manager that would allow an attacker read access to data.
Finally, Oracle also patched its Oracle Virtualization VirtualBox product, repairing a low-risk flaw.
“Overall, like every Oracle CPU, these issues represent a huge amount of work and real challenges for security and IT teams to respond to,” Barrett said. “Particularly when patching systems they are responsible for, but don’t control, such as mobile devices.”