Oracle Critical Patch Update October 2014 - Massive Patch
Just when you thought the Oracle Database world was getting safer, Oracle will be releasing fixes for 32 database security bugs on Tuesday, October 14th. This is in stark contrast to the previous twenty-five quarters where the high was 16 database bugs and average per quarter was 8.2 database bugs. For the previous two years, the most database bugs fixed in a single quarter was six.
In addition to the 32 database security bugs, there are a total of 155 security bugs fixed in 44 different products.
Here is a brief analysis of the pre-release announcement for the upcoming October 2014 Oracle Critical Patch Update (CPU).
Oracle Database
- There are 32 database vulnerabilities; only one is remotely exploitable without authentication and 4 are applicable to client-side only installations.
- Since at least one database vulnerability has a CVSS 2.0 metric of 9.0 (critical for a database vulnerability), this is a fairly important CPU due to severity and volume of fixes.
- The remotely exploitable without authentication bug is likely in Application Express (APEX). Any organizations running APEX externally on the Internet should look to apply the relevant patches immediately. To patch APEX, the newest version must be installed, which requires appropriate testing and upgrading of applications.
- There are four cilent-side only installations and likely most are in JDBC.
- Core RDBMS and PL/SQL are listed as patched components, so most likely there are critical security vulnerabilities in all database implementations.
Oracle Fusion Middleware
- There are 17 new Oracle Fusion Middleware vulnerabilities, 13 of which are remotely exploitable without authentication and the highest CVSS score being 7.5.
- Various Fusion Middleware products are listed as vulnerable, so you should carefully review this CPU to determine the exact impact to your environment.
- The core WebLogic Server is listed as a patched component, therefore, most likely all Fusion Middleware customers will have to apply the patch.
Oracle E-Business Suite 11i and R12
- There are nine new Oracle E-Business Suite 11i and R12 vulnerabilities, seven of which are remotely exploitable without authentication. Many of these are in core Oracle EBS components such as Oracle Applications Framework (OAF) and Application Object Library (AOL/FND). Even though the maximum CVSS score is 5.0, most of these vulnerabilities should be considered high risk.
- All DMZ implementations of Oracle EBS should carefully review the CPU to determine if there environment is vulnerable. As all Oracle EBS CPU patches are now cumulative, the CPU patch should be prioritized or mitigating controls, such as AppDefend, be implemented.
Planning Impact
- We anticipate this quarter's CPU to be higher risk than most and should be prioritized. Based on the patched components, this may be a higher than average risk CPU for all Oracle database environments.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
- For Oracle E-Business Suite customers, DMZ implementations may have to apply this quarter's patch faster than previous quarters due to the number and severity of bugs.