News and Notes from the Makers of Nexus | Sonatype Blog

Oracle Issues Critical Security Bug Fixes for Databases, Glassfish, and more.

Written by Tim OBrien | April 18, 2012

If you are watching our security feed, you may have noticed this IDG News Service story reporting on a critical security patch from Oracle. Since many of our customers are directly affected by this vulnerability, we thought this announcement was important enough to feature. From the story:

"The upcoming patch batch includes six fixes for Oracle’s database, three of which can be exploited remotely without a username and password. Common Vulnerability Scoring System (CVSS) base score for the database bugs is 9 on the system’s 10-point scale. Another 11 patches cover Oracle Fusion Middleware, with 9 being remotely exploitable without authentication."

Three important take-aways from this announcement:

  • This patch contains some Level 9s on the CVSS. Level 9's are a "big deal", if you are not convinced just try playing around with this CVSS calculator from NIST or read this Complete Guide to the
    Common Vulnerability Scoring System Version 2.0     if you need convincing.
  • Many of the vulnerabilities are exploitable without credentials. Attackers don't need to compromise your database or application server credentials, if someone finds a way into your network, you may be vulnerable. Couple this with the fact that almost everyone is running either MySQL and Oracle and you have factors that bump up that CVSS score.
  • Glassfish, a very popular OSS application server, and MySQL, a ubiquitous OSS database, are also affected.

Here's a quote from the Oracle Critical Security Patch:

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 88 new security fixes across the product families listed below.

If you are affected by this vulnerability, go get this Critical Security Patch Update from Oracle today.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.
View full post