Blog Post created by B-C-METOYX Employee on Jan 21, 2015

Crossposted from my Liquidmatrix Security Digest blog...


When it comes to patching vulnerabilities, Oracle does nothing small.

In its latest quarterly CPU (Critical Patch Update), the database giant hands its customers 169 new security fixes affecting many products. The full patch matrix is here.

SiliconANGLE offers a decent analysis of the vulnerabilities and patches. From Maria Deutscher’s report:

"One flaw that drew an outsized amount of attention is a misconfiguration affecting the enterprise technology stalwart’s popular E-Business Suite, which “gobsmacked” its discoverer, in his own words. David Litchfield, a U.K.-based expert on database security who is credited with uncovering hundreds of flaws, initially mistook the issue for a backdoor left behind by an hacker when he first spotted it while evaluating the defenses of a client."

Charlie Osborne from ZDNet writes:

"In total, 36 new fixes have been issued for Oracle Fusion Middleware products, and the most severe received a rating of 9.3. Two of the Oracle Fusion Middleware vulnerabilities fixed in this Critical Patch Update can result in a server takeover. Ten new fixes have been included for Oracle E-Business Suite, 6 for Oracle Supply Chain Suite, 7 for Oracle PeopleSoft Enterprise, one for Oracle JDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for Oracle iLearning. This CPU also provided 29 fixes for the Oracle Sun Systems Products Suite, and the highest CVSS score reported for this set of vulnerabilities was 10. This particularly nasty flaw affects XCP Firmware versions prior to XCP 2232."

Database administrators have a lot of work to do.