(LiveHacking.Com) – Oracle has released 78 security fixes, for its flagship database software, Fusion Middleware, e-Business Suite, Supply Chain, PeopleSoft, JDEdwards and Sun products, as part of January’s Critical Patch Update (CPU). Included were two fixes for the Oracle Database Server, seventeen for Oracle Sun products, three for Oracle Virtualization and a massive 27 in Oracle MySQL. Only 16 of the 78 fixes are considered critical, or could be remotely exploited without authentication.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.” said Oracle in the advisory.
The highest scored vulnerabilities, under the Common Vulnerability Scoring Standard (CVSS), are found in the Solaris operating system. The first is a denial of service bug and the second a Kerberos issue.
Oracle also patched MySQL Server 27 times, including one vulnerability in the MySQL protocol that allows a remote attacker to significantly affect the availability of the database. Another, higher-rated vulnerability, while not remotely exploitable without authentication, could both affect availability and potentially expose the confidentiality of data in the database. Some pundits are accusing Oracle of “throwing in the towel” on patching its flagship database as it received only two patches compared to MySQL’s 27.
However, now that the CPU has been issued, InfoWorld has published a story about “a flaw in Oracle’s flagship database software that could have serious repercussions for Oracle database customers, potentially compromising the security and stability of Oracle database systems.” When they contacted Oracle about the flaw they were asked, in the interest of security, to withhold the story until Oracle had time to develop and test patches that addressed the flaw.