Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

86 Oracle Updates

Published: 2013-01-16
Last Updated: 2013-01-16 16:38:29 UTC
by Dan Goldberg (Version: 2)
1 comment(s)

Oracle has released a lengthy list of updates to many products. descriptions are available here: 
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

Of the 86 Oracle updates released there are a few high risk updates listed:

CVE-2012-3220 (effecting Oracle Database server products) represents the highest severity with risk score of 9.0 (for a windows hosted database server) out of a possible 10, for *nix based servers the score is lower at 6.5. There is a remote exploit, requiring authentication.

Oracle Mobile Database server products are next on the list with the following CVEs and CVSS base scores, all have remote exploits without authentication via HTTP
CVE-2013-0361 10
CVE-2013-0366 10
CVE-2013-0362 7.8
CVE-2013-0363 7.8
CVE-2013-0364 7.8

The two following CVEs effect MySQL servers with a CVSS score of 9.0 and a remote exploit with authentication:
CVE-2012-5612
CVE-2012-5611

The remainder of the updates listed have scores of 7.5 or lower, and represent a mix of remote and local exploits some without authentication.

In most cases well designed defense in depth will protect most middleware and backend database servers from direct exploit. Limiting which hosts can communicate with these systems using both network and host based firewalls to reduce the attack plane for the servers to exploits that run through the application (SQL injection or similar) helps mitigate these attack vectors. Database and middleware servers that can be reached from any remote hosts are at greater risk to attack. Applying vendor updates after testing the application in non-production environments is still best practice in all cases.

If you run any of these impacted systems and can report on your experience with these updates please share that with us, and I will update or post another diary covering these experiences.

 

--
Dan
Volunteer Handler, Internet Storm Center

Keywords:
1 comment(s)
Diary Archives