TeamSHATTER’s Analysis of the July 2013 Oracle CPUTeam Shatter Exclusive

Posted July 17, 2013 by Alex Rothacker in Database Security, Oracle, Oracle, Team Shatter Exclusive with 0 comments

It is Oracle Critical Patch Update (CPU) time, so lace up your patching gloves. The July 2013 CPU contains 89 fixes across Oracle’s Database, Fusion Middleware, Hyperion, Enterprise Manager, E-Business Suite, Supply Chain, PeopleSoft, iLearning, Industry Applications Product Suite, Oracle and Sun Systems Product Suite, MySQL and Oracle Linux and Virtualization product lines.

45 of the fixes in this CPU are for vulnerabilities that are remotely exploitable without authentication. In other words, anybody on the network can exploit these vulnerabilities. Two products have fixes for vulnerabilities that allow for a complete takeover of the host, Oracle Database and Solaris.

When it comes to Oracle Database fixes, there are 6 Database fixes and 2 Oracle Enterprise Manager fixes.

For MySQL customers, there are 18 MySQL fixes with 2 that are remotely exploitable without authentication.

 Oracle Database Server Vulnerabilities:

  • CVE-2013-3751: This vulnerability is in the XML Parser component. It allows for a full server takeover by any authenticated user and thus should be patched immediately. CVSS 9.0
  • CVE-2013-3774: This difficult to exploit vulnerability is in Oracle Net and allows a remote and unauthenticated attacker to completely take over the database server and host operating system. Due to the complexity of the attack this vulnerability is rated CVSS 7.6
  • CVE-2013-3760: This vulnerability is in the Oracle core executable component and requires local logon to the host operating system. It allows a full takeover of the host operating system. CVSS 7.2
  • CVE-2013-3771: This vulnerability is in the Oracle core executable component and requires local logon to the host operating system. It allows a full takeover of the host operating system. CVSS 7.2
  • CVE-2013-3789: This vulnerability is in the Oracle core RDBMS component and can be exploited by a remote attacker over the network with Create Procedure privileges. It allows a full takeover of the database server system. CVSS 6.5
  • CVE-2013-3790: This vulnerability is in the Oracle core RDBMS component. It requires privileged account privileges and can be exploited by a remote attacker over the network. It allows for changes to the integrity of the database. CVSS 2.1

We also highly recommend reading Oracles verbose descriptions of the Vulnerabilities.

 

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by