Oracle publishes Critical Patch Updates (CPUs) on a quarterly schedule.
Oracle released its January edition with patches for a majority of their product line:
- Oracle Solaris: eight vulnerabilities in Solaris itself, including CVE-2012-0094 with the highest CVSS score of 7.8 in the advisory, plus three issues in the Glassfish application server.
- Weblogic Application Server: two vulnerabilities, neither one requiring authentication MySQL Server: a total of 27 vulnerabilities in versions 5.x, with one Remote Code Execution vulnerability (CVE-2011-2262).
- Oracle Database Server: both version 10 and 11 are affected by two remote code execution vulnerabilities, one in the Listener (CVE-2012-0072) and the other one in the core RDBMS server (CVE-2012-0082).
- Oracle Applications, such as Peoplesoft and JD Edwards have a total of 14 vulnerabilities between themselves
- Oracle Virtualization software: three vulnerabilities, two in the Guest Additions and Shared Folders, which are widely used but only accessible locally.
Overall a large update for Oracle software users, but with plenty of mitigating factors. We recommend addressing vulnerabilities on systems that are Internet accessible first. Most likely this will mean fixing Weblogic/Apache and Solaris vulnerabilities first, followed by MySQL.
Oracle RDMBS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all. A good map of your network will help in determining where to start.
BTW, both Oracle Enterprise Linux and Oracle Java are not covered in the CPU process and receive updates on their own distinct schedules.
Author: Wolfgang Kandek, CTO, Qualys.