TeamSHATTER’s Analysis Of The January 2013 Oracle CPU

Posted January 17, 2013 by Alex Rothacker in Database Security, Oracle with 0 comments

It’s Oracle Critical Patch Update (CPU) Tuesday, so lace up your patching gloves and let’s get started. The January 2013 CPU contains 86 fixes across Oracle’s Database, Access Manager/Webgate, GoldenGate Veridata, Outside In, WebLogic, Application Performance Management, Enterprise Manager, E-Business Suite, Agile PLM Framework, People Soft, JD Edwards EnterpriseOne Tools, Siebel CRM, Sun Product Suite, Virtual Box and MySQL product lines.

45 of the fixes in this CPU are for vulnerabilities that are remotely exploitable without authentication. In other words, anybody on the network can exploit these vulnerabilities. Two products have fixes for vulnerabilities that allow for a complete takeover of the host, Oracle Database, Oracle Database Mobile Server, Solaris, and MySQL Sever.

When it comes to the number of Database fixes, this CPU is on the low side. There is 1 Database fix. However, there are also 14 issues fixed in Oracle Enterprise Manager that are potentially Database related. The Database issue and 9 of the Oracle Enterprise Manager fixes are credited to TeamShatter members Esteban Martinez Fayo, Martin Rakhmanov and Qinglin Jiang.

Oracle Database Server Vulnerabilities :

  • CVE-2012-3220: This vulnerability in the Spatial Component of the Oracle Database. It allows for a full server takeover and thus should be patched immediately. Removing the Spatial component if not needed is a possible workaround. CVSS 9.0

Oracle Enterprise Manager Vulnerabilities:

  • CVE-2013-0352 and CVE-2013-0355: Are XSS vulnerabilities in URL parameters that allow for the execution of arbitrary script code in the context of the logged in user.
    This allows an attacker to affect the confidentiality and integrity of the database, CVSS 5.8
  • CVE-2013-0374, CVE-2013-0372, CVE-2013-0373, CVE-2013-0353 and CVE-2013-0358: Are SQL Injection vulnerabilities that allow for the execution of arbitrary SQL code in the context of the logged in user.
    This allows an attacker to affect the confidentiality and integrity of the database, CVSS 5.8
  • CVE-2013-0354: Is a Response Splitting vulnerability.
    This allows an attacker to affect the confidentiality and integrity of the database, CVSS 5.8
  • CVE-2012-3219: Is an URL redirection vulnerability that allows for the redirection to an arbitrary URL in the context of the logged in user.
    It allows an attacker to affect the integrity of the application. CVSS 4.3

CVE-2012-5062: Is a vulnerability in Java applet reflection classes. A public proof of concept for this vulnerability is readily available. CVSS 4.3

We are of the opinion that the XSS, SQL Injection and Response Splitting vulnerabilities in Oracle Enterprise Manager deserves a rating of CVSS 5.8 as this class of vulnerabilities not only affects the integrity, but also the confidentiality of application.

Lastly, this CPU also contains fixes for 18 security issues in MySQL 5.1 and 5.5. Two of these are remotely exploitable and allow for full control of the database and hosting server. Vulnerable MySQL installations should be updated immediately.

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by