Oracle’s Critical Patch Update for April 2012 fixes 88 security vulnerabilities across the product line. The amount of fixes isn’t really a big concern; it's the criticality that really matters.

There is quite an uptick in criticality when you look at the Critical Patch Update from January 2012, when the highest was 7.8, while this quarter we have a couple of vulnerabilities with a criticality rating well above that.

The most critical vulnerability is CVE-2012-1695, which affects JRockit, Oracle’s proprietary Java Virtual Machine, and has a base score of 10.0. The base score of 10.0 is equivalent to a vulnerability perfect storm, spelling disaster for an organization.

JRockit has been free since May 2011 and it is unclear how many organizations this will affect. JRockit is considered middleware, which means it operates on servers to run Java applications. This remote code execution vulnerability requires no authentication and is rated as a low level attack vector. The low attack vector rating means that it would be easy to exploit over a network or Internet. This exploit will result in total compromise of the confidentiality, integrity, and availability of a victim’s system.

CVE-2012-0208, a vulnerability in the RSH protocol in Oracle Grid Engine, is rated at 9.0, as is CVE-2012-0552, a vulnerability relating to Oracle Database Server that affects the Oracle Spatial component. Both of these 9.0-rated vulnerabilities require authentication to exploit, but could result in a complete breach of the affected system.

Something like these vulnerabilities could be use to escalate privileges for an attacker after they have compromised a lower privileged account.

If organizations are running the software included in the updates, I recommend testing and patching as soon as possible, and to triage according to the CVSS Base Score.


Author: Marcus Carey, security researcher at Rapid7.