Oracle is out this week with its latest quarterly Critical Patch Update, fixing flaws across multiple product lines.
Oracle's namesake database product family is getting a total of seven fixes this quarter, four of which affect the Oracle Database Server itself. Of those four, three are particularly dangerous as they can be triggered remotely without a user first authenticating with the database system.
Additionally there are two patches for the Oracle Secure Backup solution, both of which are remotely exploitable without user authentication. Rounding out the list of Database Server product family vulnerabilities is one for the Oracle Application Express Listener that is also remotely exploitable without user authentication.
On the middleware side, Oracle Fusion is getting 22 security fixes, with eight being remotely exploitable without authentication. Of particular note in the Fusion update is the fact that Oracle is including fixes for issues in Java that have already been publicly disclosed and patched in other Oracle products. Oracle JRockit is at the core of Oracle's Fusion middleware and is a Java Virtual Machine (JVM) on which Java apps run.
Oracle patched Java in June. That update delivered 14 security fixes, 12 of which were remotely exploitable without authentication. Java has been identified in recent years as one of the most attacked technologies on the Internet. It was also the root cause behind the Apple Mac Flashback security issue earlier this year. The result of that outbreak was that Apple actually patched Java at the same time as Oracle in June, limiting the risk window.
JRocket users might potentially have been at risk for the month that the core Java release was patched but JRocket was not. Oracle did not respond to a request for comment from eSecurity Planet by press time on the level of risk that the JRocket patch delay may have represented to users.
Fusion isn't the only Oracle application suite getting updates this quarter. Oracle Siebel CRM received seven updates, Oracle E-Business Suite got four, Supply Chain Products Suite received five updates, and nine updates landed in Oracle PeopleSoft Enterprise.
Security Fixes for Sun Product Line
Oracle's Sun products are receiving 24 security fixes, 16 of which can be remotely exploited without user authentication. The bulk of the fixes are for Oracle's Solaris Unix operating system, which gets 18 fixes. The Solaris update affect versions 8, 9, and 10 -- as well as the newer Solaris 11 which was released at the end of 2011.
On top of the Solaris updates is an additional six fixes for the MySQL database. In contrast to the Oracle Database updates, none of the MySQL flaws are remotely exploitable without user authentication.
Common Vulnerability Reporting Format
With the July CPU, Oracle is now moving to make it easier for security professionals to parse the vulnerability information. The July CPU is available in the Common Vulnerability Reporting Format (CVRF) compatible XML file. "CVRF is an XML language intended for the sharing of security-related information in a machine-readable fashion," writes Eric Maurice, security manager in Oracle's global technology business unit, in a company blog. "This format has been designed by the Industry Consortium for Advancement of Security on the Internet (ICASI), of which Oracle is a member."