Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
Editor's Blog and Industry Comments

Critical patch update from Oracle

19 July, 2013
With a major update being released by Oracle, administrators expect increased workload for July


19th July is slated for the release of a giant update being released by Oracle to cover further vulnerabilities in what appears to be a developing trend.



Rapid7's Ross Barrett, senior manager of security engineering, commented: "Relatively quiet Critical Patch Update (CPU) from Oracle this quarter. Relative is of course subjective to Oracle, since this gigantic pile of unrelated code fixes includes 89 distinct CVEs and touches 20+ distinct products.

 

The highest risk issue is scored with a CVSS of 9 because it’s remotely exploitable without authentication. This vulnerability in the XML Parser in Oracle’s Database Server is part of by a mixed bag of other vulnerabilities ranging from mild to serious.



Oracle Fusion middleware is seeing a lot of attention this quarter with 21 fixes, but nothing super critical. The highest CVSS score is 7.5, nothing to ignore.

 

Solaris is hit with two remote DoS attacks, plus a couple of local elevation of privilege issues.



With such a diverse range of products in this quarter’s patch, it's hard to tackle these from top to bottom with recommendations. I recommend patching any vulnerable Oracle Database Server instances ASAP and don’t neglect the stability or integrity of the Solaris deployment."



Craig Young, security researcher at Tripwire added: “The constant drumbeat of critical Oracle patches is more than a little alarming particularly because the vulnerabilities are frequently reported by 3rd parties who presumably do not have access to full source code.  This month’s CPU credits 18 different researchers coming from more than a dozen different companies.



It’s also noteworthy that there every Oracle CPU release this year has plugged dozens of vulnerabilities.  By my count, Oracle has already acknowledged and fixed 343 security issues in 2013.  In case there was any doubt, this should be a big red flag to end users that Oracle’s security practices are simply not working.”



Read more about the Oracle patch update from GFI Software.

 


Bookmark and Share