It’s the second Tuesday in October, so it is Oracle Critical Patch Update (CPU) time. The October 2013 CPU contains 127 fixes across Oracle’s Database, Fusion Middleware, Enterprise Manager, E-Business Suite, PeopleSoft, Siebel, Oracle and Sun Systems Product Suite, MySQL, Oracle Linux and Virtualization, and Oracle Java product lines. This is the first CPU to include Java fixes, and with 51 fixes it is a sizable portion of the CPU’s total fixes.
92 of the fixes in this CPU are for vulnerabilities that are remotely exploitable without authentication. In other words, anybody on the network can exploit these vulnerabilities. Three products have fixes for vulnerabilities that allow for a complete takeover of the host, Java, Sun System Firmware and MySQL.
When it comes to Oracle Database fixes, there are 2 Database fixes, 2 Fusion Middleware and 4 Oracle Enterprise Manager fixes. All 8 of these fixes are remotely exploitable without authentication.
For MySQL customers, there are 8 MySQL fixes with 1 that allows for the complete compromise of the host server.
Oracle Database Server Vulnerabilities:
- CVE-2013-5771: This vulnerability is in the XML Parser component. It allows any user on the network to breach the confidentiality of the data in the Database as well as affect the availability of the Database. CVSS 6.4
- CVE-2013-3826: This vulnerability in the Core RDBMS allows any user on the network to breach the confidentiality of communications between the Database Server and clients. Configuring network encryption on the server and client can be used as a workaround. See http://docs.oracle.com/cd/E11882_01/license.112/e47877/options.htm#CIHFDJDG for more information. CVSS 5.0
Oracle Fusion Middleware Vulnerabilities affecting the Database:
- CVE-2011-3389 and CVE-2013-0169: These hard to exploit vulnerabilities are in the Oracle Security Service component of Fusion Middleware and allow an attacker access to some confidential information. CVSS 4.3 and 2.6
Oracle Enterprise Manager Grid Control Vulnerabilities:
Oracle Enterprise Manager (OEM) Grid Control is a standard part of Oracle 10g and 11g Databases and optional for Oracle 12c.
Two of the OEM issues were found and reported to Oracle by former TeamSHATTER members Esteban Martinez Fayo and Qinglin Jiang.
- CVE-2013-3762: This vulnerability in the DB Performance Advisories/UIs subcomponent of OEM allows for unauthorized changes to some Enterprise Manager Base Platform accessible data. CVSS 4.3
- CVE-2013-5766: This vulnerability in the Schema Management subcomponent of OEM allows for unauthorized changes to some Enterprise Manager Base Platform accessible data. CVSS 4.3
- CVE-2013-5827 and CVE-2013-5828: These vulnerabilities in the Storage Management subcomponent of OEM allow for unauthorized changes to some Enterprise Manager Base Platform accessible data. CVSS 4.3
We also highly recommend reading Oracle’s verbose descriptions of the Vulnerabilities.