Buried under the Oracle patching avalanche - January 2013 edition

Last updated at Mon, 24 Jul 2017 21:16:20 GMT

Oracle has released their scheduled, quarterly patching bonanza.  This Critical Patch Update (CPU) touches on a broad range of their products including Oracle Database, Database Mobile/Lite, VirtualBox, Solaris, Fusion Middleware, MySQL, and pieces of their ERP and CRM suites… but not Java.  Unless the Department of Homeland Security singles out Java again before it's next scheduled update on February 19th we will not likely see action on that front. 

The biggest risk in the current CPU is in Oracle Database where CVE-2012-3220 allows an authenticated user who has the ‘CREATE TABLE' privilege to gain control of the underlying Windows operating system.  This type of vulnerability would likely be exploited in conjunction with another attack to elevate privileges from the database to the operating system.  Oracle Database is their flagship product and to say it is “widely deployed” is putting it mildly.

There are also five vulnerabilities patched in Oracle Database Mobile/Lite.  Oracle Database Mobile/Lite is used in embedded systems and mobile devices including Android and Blackberry applications.  Any of these five could allow an unauthenticated remote attacker to gain control of the device and these issues will probably remain unpatched in some places for a long time due to the challenges of updating mobile systems.  The average user of an application with Oracle Database Mobile/Lite is likely at the mercy of third party vendors and ISPs who may or may not feel it is cost effective to roll out an update.

Two high risk (and 17 medium risk) issues are patched in MySQL.  The high risk issues (CVE-2012-5611 & CVE-2012-5612) again are most serious on Windows and could allow an authenticated attacker to elevate their privileges from the database to gain control of the operating system. 

None of the issues patched in Solaris are particularly scary since they all seem to require multiple levels of authentication and high complexity to exploit, with the exception of CVE-2013-0417 which could “easily” allow read access to data in the Sun Storage Array Manager.

Overall, like every Oracle CPU, these issues represent a huge amount of work and real challenges for security and IT teams to respond to.  Particularly when patching systems they are responsible for, but don't control, such as mobile devices.

-- Happy Patching.