Oracle fixes 88 security vulnerabilities
Posted on 18 April 2012.
Oracle’s Critical Patch Update for April 2012 fixes 88 security vulnerabilities across the product line. The amount of fixes isn’t really a big concern; it's the criticality that really matters.

There is quite an uptick in criticality when you look at the Critical Patch Update from January 2012, when the highest was 7.8, while this quarter we have a couple of vulnerabilities with a criticality rating well above that.

The most critical vulnerability is CVE-2012-1695, which affects JRockit, Oracle’s proprietary Java Virtual Machine, and has a base score of 10.0. The base score of 10.0 is equivalent to a vulnerability perfect storm, spelling disaster for an organization.

JRockit has been free since May 2011 and it is unclear how many organizations this will affect. JRockit is considered middleware, which means it operates on servers to run Java applications. This remote code execution vulnerability requires no authentication and is rated as a low level attack vector. The low attack vector rating means that it would be easy to exploit over a network or Internet. This exploit will result in total compromise of the confidentiality, integrity, and availability of a victim’s system.

CVE-2012-0208, a vulnerability in the RSH protocol in Oracle Grid Engine, is rated at 9.0, as is CVE-2012-0552, a vulnerability relating to Oracle Database Server that affects the Oracle Spatial component. Both of these 9.0-rated vulnerabilities require authentication to exploit, but could result in a complete breach of the affected system.

Something like these vulnerabilities could be use to escalate privileges for an attacker after they have compromised a lower privileged account.

If organizations are running the software included in the updates, I recommend testing and patching as soon as possible, and to triage according to the CVSS Base Score.


Author: Marcus Carey, security researcher at Rapid7.





Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //