Oracle fixes 88 security vulnerabilities
Posted on 18 April 2012.
Oracle’s Critical Patch Update for April 2012 fixes 88 security vulnerabilities across the product line. The amount of fixes isn’t really a big concern; it's the criticality that really matters.

There is quite an uptick in criticality when you look at the Critical Patch Update from January 2012, when the highest was 7.8, while this quarter we have a couple of vulnerabilities with a criticality rating well above that.

The most critical vulnerability is CVE-2012-1695, which affects JRockit, Oracle’s proprietary Java Virtual Machine, and has a base score of 10.0. The base score of 10.0 is equivalent to a vulnerability perfect storm, spelling disaster for an organization.

JRockit has been free since May 2011 and it is unclear how many organizations this will affect. JRockit is considered middleware, which means it operates on servers to run Java applications. This remote code execution vulnerability requires no authentication and is rated as a low level attack vector. The low attack vector rating means that it would be easy to exploit over a network or Internet. This exploit will result in total compromise of the confidentiality, integrity, and availability of a victim’s system.

CVE-2012-0208, a vulnerability in the RSH protocol in Oracle Grid Engine, is rated at 9.0, as is CVE-2012-0552, a vulnerability relating to Oracle Database Server that affects the Oracle Spatial component. Both of these 9.0-rated vulnerabilities require authentication to exploit, but could result in a complete breach of the affected system.

Something like these vulnerabilities could be use to escalate privileges for an attacker after they have compromised a lower privileged account.

If organizations are running the software included in the updates, I recommend testing and patching as soon as possible, and to triage according to the CVSS Base Score.


Author: Marcus Carey, security researcher at Rapid7.





Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //