It is Oracle Critical Patch Update (CPU) time, so lace up your patching gloves. The April 2013 CPU contains 128 fixes across Oracle’s Database, Fusion Middleware, E-Business Suite, Supply Chain, PeopleSoft, Siebel, Health Sciences, Retail, FLEXCUBE, Primavera, Sun Product Suite, MySQL and Oracle Support Tools product lines.
46 of the fixes in this CPU are for vulnerabilities that are remotely exploitable without authentication. In other words, anybody on the network can exploit these vulnerabilities. Three products have fixes for vulnerabilities that allow for a complete takeover of the host, Oracle Database, Solaris, and JRockit.
When it comes to the number of Oracle Database fixes, this CPU is on the low side. There are 4 Database fixes and no Oracle Enterprise Manager fixes.
For MySQL customers, there are 25 MySQL fixes with 4 that allow for a complete takeover of the MySQL Server.
Oracle Database Server Vulnerabilities :
- CVE-2013-1534: This vulnerability is in the Workload Manager component, which only exists in RAC installations. It allows for a full server takeover by any user on the same network segment and thus should be patched immediately. CVSS 10.0
- CVE-2013-1519: Only affects Oracle Application Express installations prior to version 4.2.1 and allows an attacker to partially affect the integrity of the database. CVSS 5.0
- CVE-2013-1554: Allows an attacker to crash the Database Server by sending a specially crafted network traffic. CVSS 7.8
- CVE-2013-1538: Allows an attacker to crash the Database Server by sending a specially crafted network traffic. CVSS 7.8