Oracle patches 109 vulnerabilities
Posted on 17 October 2012.
Oracle’s Critical Patch Update for October 2012 patches 109 vulnerabilities across hundreds of Oracle products. There are several patches that require immediate attention for enterprises running Oracle paid and free software.

Oracle Database Server's Core RDBMS and Oracle JRockit both should be patched as soon as possible. The Core RDBMS has a vulnerability with a base score of 10.0, which may be remotely exploitable without authentication. This flaw requires immediate attention of organizations running Oracle Core RDMBS because a successful attack would result in the complete compromise of the system’s confidentiality, integrity, and availability.

Oracle JRockit also has a vulnerability rated as 10.0. When a vulnerability is rated 10.0 on the CVSS scale it is essentially "game over" if an attacker can reach the device over the Internet or intranet.

Oracle's MySQL Server will receive fixes for 14 vulnerabilities, the highest having a CVSS score of 9.0. MySQL has two vulnerabilities that may be remotely exploitable without authentication. CVE-2012-3158, rated 7.5, is the most severe MySQL vulnerability that is remotely exploitable, and doesn't require authentication.

According to Oracle, it could lead to a compromise of confidentiality, integrity, and availability of systems. Many would argue that CVE-2012-3158 could be rated higher.

MySQL may have the most impact across the Internet. Approximately 3 million MySQL servers were discovered during a recent Internet-wide scan, and about 1.5 million of those don't have host access control lists (ACLs) and are vulnerable to the type of remote exploits that were patched this cycle.

Many were anticipating Oracle would patch Java Runtime Environment (JRE), which they did with Java Runtime Environment Version 7 Update 9 and Version 6 Update 37. I advise everyone who needs Java to update as soon as possible. Rapid7 provides a free online tool IsJavaExploitable.com which allows you to test whether you need to update your Java (and provides links to update if necessary), or verify that patching has worked.


Author: Marcus Carey, security researcher at Rapid7.





Spotlight

The role of the cloud in the modern security architecture

Posted on 31 July 2014.  |  Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //