Oracle yesterday released 88 security fixes for vulnerabilities — including several that allow for remote access without authentication — across its portfolio as part of its quarterly Critical Patch Update.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company said in its CPU advisory.
The company issued a Security Alert after its last quarterly patch, on January 31, to address a denial of service vulnerability in multiple Oracle products due to hashing collisions. CVE-2011-5035 impacted Oracle WebLogic Server, Oracle Application Server (component: Oracle Container for J2EE/OC4J) and Oracle iPlanet Web Server, allow for remote exploitation without authentication.
Tuesday’s patch addresses six vulnerabilities in Oracle Enterprise Manager, of which four were remotely exploitable. Additionally, the update targets multiple fixes for the Oracle Database Server, Oracle Fusion Middleware, Oracle Sun products, MySQL, Oracle Enterprise Manager Grid Control, Oracle e-Business Suite, Oracle Supply Chain, Oracle PeopleSoft, Oracle Industry Applications, Oracle Financial Services, and Oracle Primavera Products.
Several media outlets have noted this is the largest number of databases fixes from Oracle since January 2010. The highest Common Vulnerability Scoring System score for the database bugs is 9.0 on a 10-point scale.
“Just when we thought Oracle threw in the towel on fixing database vulnerabilities, they follow-up their record low database-related fixes from the last CPU in January with a dozen fixes in the April 2012 CPU,” said Alex Rothacker, Director of Security Research for Application Security Inc.’s Team SHATTER, in a news release today. The company’s lead security researcher Esteban Martinez Fayo is credited with reporting seven of the 12 database vulnerabilities in the April CPU to Oracle.
“While we hope that this is an indication of Oracle’s renewed focus on database security improvements,” Rothacker continued, “we are quite disappointed that it took them over two and a half years to fix a high risk vulnerability that we reported to them in October 2009. It is just not acceptable to leave users at risk for that long.”
Her added that he had “tremendous concern” with the upswing in critical flaws that allow for remote exploits without the need for usernames and passwords. “That is a massive amount of flaws of this nature to have across the Oracle product line. Hopefully that is not a trend that we continue to see more of in future CPU cycles.”
Because the mammoth patch may take some time to apply, some security experts have recommended workarounds and prioritizing vulnerabilities. In a blog post, Rothacker outlined fixes in order of severity, some in more detail than what’s posted here:
CVE-2012-0552: A stack based buffer overflow that allows for a complete takeover of the machine hosting the Oracle Database on Windows and full takeover of the Database on other operating systems.
CVE-2012-0519: Affects installations on Windows only and allows a complete takeover of the host and database.
CVE-2012-0511: Allows an attacker to use brute force passwords while leaving only a minimal audit trail.
CVE-2012-0528: Allows an attacker to reuse an existing session ID.
CVE-2012-0512 and CVE-2012-0525: Two SQL injection flaws allow a user to elevate privileges and execute SQL functions as SYSMAN.
CVE-2012-1708: Allows anybody with access to the network to affect the integrity of the database. Only Application Express is affected.
CVE-2012-0526 and CVE-2012-0527: Both allow an unauthenticated attacker to steal a user’s session and compromise the confidentiality and integrity of the database. This only requires patching if Enterprise Manager is installed and used.
CVE-2012-0520: Another Enterprise Manager-specific vulnerabilities allows for a remote, unauthenticated attacker to affect the integrity of the database.
CVE-2012-0534: Allows any authenticated user to affect the integrity of the Database via a vulnerability in the RDBMS Core.
CVE-2012-0510: Allows an attacker unlimited attempts to change passwords for locked accounts. The catch that makes it a lower risk: the current password must be known for it to work.