This week, Oracle released their quarterly Critical Patch Update (CPU) for July 2013. CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. This quarter’s updates fix 89 vulnerabilities in many different Oracle products and suites.
Refer to the table below for more details about the affected products and severity of the flaws:
| Product or Suite | Flaws Fixed (CVE) | Max CVSS |
|---|---|---|
| Database Server | 6 | 9.0 |
| Fusion Middleware | 21 | 7.5 |
| Enterprise Manager Grid Control | 2 | 4.3 |
| Hyperion | 1 | 3.5 |
| E-Business Suite | 7 | 5.5 |
| Supply Chain Product Suite | 4 | 4.3 |
| MySQL | 18 | 6.8 |
| PeopleSoft Products | 10 | 6.4 |
| iLearning | 1 | 4.3 |
| Policy Automation | 1 | 4.0 |
| Sun Solaris Products | 16 | 7.8 |
| Secure Global Desktop | 2 | 7.5 |
Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share CVSS severity ratings. While the severity of the 89 vulnerabilities differs greatly, some of them pose a pretty critical risk.
For instance, the update for Oracle Database Server fixes a vulnerability with a CVSS score of 9, which is pretty high. Also, some of these flaws allow remote attackers to potentially gain control of your Oracle database, Fusion Middleware, or MySQL servers. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)