OracleBuckle up Oracle administrators for 109 patches coming your way tomorrow. Oracle’s quarterly Critical Patch Update is due, and the company is releasing fixes for security vulnerabilities across most of its enterprise products, addressing a host of remotely exploitable flaws. This comes a little more than a month after exploits of a serious zero-day vulnerability in Java were reported, as well as a critical zero-day vulnerability in Java SE.

Seemingly, no product line is spared. Five patches will be released addressing security problems in Oracle Database Server, including one that is remotely exploitable over a network without the need for a username and password, Oracle said. Two of the patches address client-only installations.

Two of these vulnerabilities were reported by Application Security Inc.’s TeamSHATTER research outfit, including a remotely exploitable password cracking flaw in Oracle 11g explained in CVE 2012-3137.

“Even though Oracle closed the issue more than a year ago, they are now providing a more complete and easy-to-implement fix.  According to information they have provided us, the new fix will address the vulnerability in all supported releases (, and and will not require a Client software upgrade,” said Esteban Martinez Fayo, researcher with TeamSHATTER. “The original fix that they provided one year ago was just for and requires that all client software be upgraded to”

The other vulnerability reported by TeamSHATTER, Fayo said, is a SQL injection bug that would allow DBAs with certain privileges to escalate their privileges.

Admins in charge of Oracle application infrastructures may be in for the busiest time.

Oracle announced it will send out 26 new fixes for Oracle Fusion Middleware, the company’s integration platform. Half of the vulnerabilities being repaired are exploitable remotely without the need for authentication. Oracle Fusion Middleware components being patched are: Oracle Application Server Single Sign-On; Oracle BI Publisher; Oracle Business Intelligence Enterprise Edition; Oracle Event Processing; Oracle Imaging and Process Management; Oracle JRockit; Oracle Outside in Technology; Oracle Reports Developer; Oracle WebCenter Sites; and Oracle WebLogic Server.

Oracle also reports 11 patches for its PeopleSoft and Siebel CRM products (nine and two respectively). There is a remotely exploitable vulnerability being repaired for each.

Two remotely exploitable vulnerabilities are being exploited in MySQL Server; 14 in total.

Oracle is also releasing 18 repairs for its Oracle Sun Products Suite, three remotely exploitable vulnerabilities. Oracle said the affected Sun products include Solaris, SPARC T3, Netra SPARC T3, SPARC T4, Netra SPARC T4, Oracle GlassFish Server, Sun GlassFish Enterprise Server, and Sun Java System Application Server.

Oracle Financial Services Software’s FLEXCUBE Direct Banking and FLEXCUBE Universal Banking are also vulnerable to a remote exploit; 13 patches will be released tomorrow.

Finally, nine vulnerabilities in each of Oracle E-Business Suite and Oracle Supply Chain Products Suite will be repaired. Six remotely exploitable flaws have been discovered in E-Business Suite components, while four have been found in the Supply Chain Products Suite.


This article was updated Oct. 15 to include comments from Esteban Martinez Fayo of Application Security Inc.

Categories: Vulnerabilities

Comment (1)

  1. Guy


    Oracle documentation (Patching for CVE-2012-3137 [ID 1493990.1]) states the following:

    This vulnerability affects Database user accounts using SHA-1 based password verifiers for authentication… Database user accounts using a DES based password verifier for authentication are unaffected.

    If all of our database user accounts use DES based password verifier, is our database still at risk for CVE-2012-3137?

    I am trying to determine if we need to apply CPUOCT2012.

    Thank you.


Comments are closed.