Oracle issues update for critical vulnerability

By Ken Presti, on Jul 18, 2012 1:42 PM
Filed under Security

87 patches in total.

Oracle's July Critical Patch Update (CPU) advisory involved 87 security patches across the company's overall product portfolio, including one vulnerability with the highest possible rating.

The vulnerability involves Oracle JRockit, (CVE-3135), listed with a base score of 10.0, the most critical rating available.

"This is like a perfect storm," said Marcus Carey, security researcher at Rapid7. "You can access it over multiple protocols, and it opens you up to remote exploits without a password. It can be accessed across the network unless there is an access controller in the middle to block the attempt.

"And, the attacker can get control over the full range of data. So this would, in essence, be 'game over.'"

Two vulnerabilities in the bulletin are rated at 7.8 on the same scale of 10. The first, CVE 1740, involves Oracle Application Express Listener.

"Someone could use regular web protocols to contact the server and do a remote exploit without authentication," Carey explained. "Plus, the complexity of the attack is rated as 'low,' meaning that your kid could probably do it."

Also rated at 7.8 is CVE 3192, which impacts Oracle's Secure Backup Apache Component. This is another low complexity attack in which systems can be accessed over the web without authentication to gain full data control.

CVE 1737 tips the scales with a 6.8 critical rating and involves Oracle Enterprise Manager Grid Control. It is similar in that the exploit involves remote exploit without authentication, but the complexity of the attack is somewhat higher, and it does not provide access to the full range of data.

Another 6.8 rating goes to CVE 1731, a Siebel CRM vulnerabilities with characteristics similar to CVE 1737.

CVE 3126 is used against Solaris Cluster via the Apache Tomcat Agent. It, too, results in system compromise, but can only be executed locally. There are also three other Solaris-related patches (3120, 4609, 3125), which have critical scores of 7.1 to 7.8.

"Organisations should look at this risk matrix and develop a strategy for dealing with them," advised Carey. "It's not just a matter of putting in the patches; it's also a matter of protecting the network access, which will reduce the exposure still further. If you build the network right, you can mitigate the risk without even having to worry about the patches.

"So many of the servers are business-critical that it makes it difficult to patch because you don't want to take the system down. In fact, many of these patches are not going to be installed anytime soon at a variety of companies."

Under most circumstances, Oracle issues patches every three months. The next one is scheduled to take place in October.

This article originally appeared at crn.com

 
Follow us on Facebook and Twitter
 

Copyright © 2014 The Channel Company, LLC. All rights reserved.

Oracle issues update for critical vulnerability
Tags
 
 
 
 
 
Top Stories
Microsoft Surface revenue hits $1 billion in a quarter
While iPad sales fall, Surface sees massive turnaround.
 
Australia's top 10 recent channel movers
Who was hired, promoted and who defected?
 
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
Is Microsoft right to limit the reseller channel for Surface?

Latest Comments
CRN Magazine

Issue: 331 | September 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.