Oracle’s Critical Patch Update for October 2012 patches 109 vulnerabilities across hundreds of Oracle products. There are several patches that require immediate attention for enterprises running Oracle paid and free software.
Oracle Database Server’s Core RDBMS and Oracle JRockit both should be patched as soon as possible. The Core RDBMS has a vulnerability with a base score of 10.0, which may be remotely exploitable without authentication. This flaw requires immediate attention of organizations running Oracle Core RDMBS because a successful attack would result in the complete compromise of the system’s confidentiality, integrity, and availability.
Oracle JRockit also has a vulnerability rated as 10.0. When a vulnerability is rated 10.0 on the CVSS scale it is essentially “game over” if an attacker can reach the device over the Internet or intranet.
Oracle’s MySQL Server will receive fixes for 14 vulnerabilities, the highest having a CVSS score of 9.0. MySQL has two vulnerabilities that may be remotely exploitable without authentication. CVE-2012-3158, rated 7.5, is the most severe MySQL vulnerability that is remotely exploitable, and doesn’t require authentication.
According to Oracle, it could lead to a compromise of confidentiality, integrity, and availability of systems. Many would argue that CVE-2012-3158 could be rated higher.
MySQL may have the most impact across the Internet. Approximately 3 million MySQL servers were discovered during a recent Internet-wide scan, and about 1.5 million of those don’t have host access control lists (ACLs) and are vulnerable to the type of remote exploits that were patched this cycle.
Many were anticipating Oracle would patch Java Runtime Environment (JRE), which they did with Java Runtime Environment Version 7 Update 9 and Version 6 Update 37. I advise everyone who needs Java to update as soon as possible. Rapid7 provides a free online tool IsJavaExploitable.com which allows you to test whether you need to update your Java (and provides links to update if necessary), or verify that patching has worked.
Author: Marcus Carey, security researcher at Rapid7.