The Oracle Critical Patch Update (CPU) came out that addresses all other Oracle products. Overall, the January 2013 CPU fixes over 80 vulnerabilities in 10 product groups.
With the number of products patched being substantial, it is important to have a good map of installed software and versions in your organization.
As usual we recommend starting with exposed services first, this month lead by the MySQL patches. Fortunately in most installations Oracle's core RDBMS will not be affected.
Here is an overview of the update:
- The Oracle RDBMS product has only one update, and it is located in the Spatial Oracle component. Many Oracle RDBMS will not have that option installed and might be free from installing any patches this quarter.
- The Mobile/Lite version of Oracle's database has five vulnerability addressed with a CVSS of 10, which indicates they are highly critical vulnerabilities.
- Oracle's other database, MYSQL, has 18 vulnerabilities addressed, with a maximum CVSS score of 9.0, indicating a high level of severity and prompting for a quick turn-around.
- Oracle's Fusion product group has seven vulnerabilities addressed, two of them in the Oracle Outside In product. Oracle Outside In is an SDK that is used by outside vendors for document conversions. One of the outside vendors is Microsoft that uses the Outside In in their Exchange Mail Server in the Outlook Web Access part. Microsoft has shipped two updates to Exchange last year, partly due to update the Outside In SDK.
- Oracle Solaris is affected by eight flaws but has no remotely exploitable vulnerabilities. IT administrators for Solaris should take a look at the vulnerabilities and decide on an adequate roll-out schedule.
- Further product areas with Security updates include Peoplesoft, JD Edwards, Supply-Chain, E-Business and VirtualBox.
Author: Wolfgang Kandek, CTO, Qualys.