Oracle patches 109 vulnerabilities
Posted on 17 October 2012.
Oracle’s Critical Patch Update for October 2012 patches 109 vulnerabilities across hundreds of Oracle products. There are several patches that require immediate attention for enterprises running Oracle paid and free software.

Oracle Database Server's Core RDBMS and Oracle JRockit both should be patched as soon as possible. The Core RDBMS has a vulnerability with a base score of 10.0, which may be remotely exploitable without authentication. This flaw requires immediate attention of organizations running Oracle Core RDMBS because a successful attack would result in the complete compromise of the system’s confidentiality, integrity, and availability.

Oracle JRockit also has a vulnerability rated as 10.0. When a vulnerability is rated 10.0 on the CVSS scale it is essentially "game over" if an attacker can reach the device over the Internet or intranet.

Oracle's MySQL Server will receive fixes for 14 vulnerabilities, the highest having a CVSS score of 9.0. MySQL has two vulnerabilities that may be remotely exploitable without authentication. CVE-2012-3158, rated 7.5, is the most severe MySQL vulnerability that is remotely exploitable, and doesn't require authentication.

According to Oracle, it could lead to a compromise of confidentiality, integrity, and availability of systems. Many would argue that CVE-2012-3158 could be rated higher.

MySQL may have the most impact across the Internet. Approximately 3 million MySQL servers were discovered during a recent Internet-wide scan, and about 1.5 million of those don't have host access control lists (ACLs) and are vulnerable to the type of remote exploits that were patched this cycle.

Many were anticipating Oracle would patch Java Runtime Environment (JRE), which they did with Java Runtime Environment Version 7 Update 9 and Version 6 Update 37. I advise everyone who needs Java to update as soon as possible. Rapid7 provides a free online tool IsJavaExploitable.com which allows you to test whether you need to update your Java (and provides links to update if necessary), or verify that patching has worked.


Author: Marcus Carey, security researcher at Rapid7.





Spotlight

Windows 0-day exploited in ongoing attacks, temporary workarounds offered

Posted on 22 October 2014.  |  A new Windows zero-day vulnerability is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //