This week, Oracle released their quarterly Critical Patch Update (CPU) for January 2013. CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. This quarter’s updates fix 86 vulnerabilities in many different Oracle products and suites.
Refer to the table below for more details about the affected products and severity of the flaws:
| Product or Suite | Flaws Fixed (CVE) | Max CVSS |
|---|---|---|
| Database Server (and Mobile) | 6 | 10.0 |
| Fusion Middleware | 7 | 5.0 |
| Enterprise Manager Grid Control | 13 | 7.5 |
| Virtual Box | 1 | 2.4 |
| E-Business Suite | 9 | 6.4 |
| Supply Chain Product Suite | 1 | 2.1 |
| MySQL | 18 | 9.0 |
| PeopleSoft Products | 12 | 5.5 |
| JD Edwards Products | 1 | 3.5 |
| Siebel CRM | 10 | 5.0 |
| Sun Product | 8 | 6.6 |
Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share CVSS severity ratings. While the severity of the 86 vulnerabilities differs greatly, some of them pose a pretty critical risk.
For instance, the updates for Oracle Database Server fix vulnerabilities with a CVSS score of 10—the highest possible severity rating. One of these flaws allows unauthenticated, remote attackers to potentially gain complete control of your Oracle database server. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)