Oracle Critical Patch Update October
Oracle has just released their critical patch update http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
Quite a number of products are being patched also for those of you subject to PCI DSS there are a significant number of patches addressing issues with a CVSS score of 4 or higher, which must be patched under the standard.
They have also released a critical patch update for Java http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
The info in the Oracle bulletin is comprehensive and should allow you to identify what needs to be done fairly easily. Both bulletins have the following wording in the work around section "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." For most of us not new (at least not on the java side), but maybe a strong argument if you get pushback on patching.
Happy patching, as always test before you implement.
Mark H - shearwater
Comments
The two vulnerabilities are trivial to exploit, one which allows you to use a web browser to grab files off of the system that the oracle account has access to. The other allows you to grab database passwords. All unauthenticated.
If you run Oracle Reports Servers it might be a good idea to make sure diagnostic output is disabled. That will mitigate the vulnerability.
Dana Taylor
Oct 18th 2012
1 decade ago
I was first tipped off by this story:
https://krebsonsecurity.com/2012/10/critical-java-patch-plugs-30-security-holes/
Jason R
Oct 19th 2012
1 decade ago