Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


Oracle Critical Patch Update October

Published: 2012-10-17,
Last Updated: 2012-10-17 03:19:56 UTC
by Mark Hofman (Version: 1)

2 comment(s)

Oracle has just released their critical patch update http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

Quite  a number of products are being patched also for those of you subject to PCI DSS there are a significant number of patches addressing issues with a CVSS score of 4 or higher, which must be patched under the standard.

They have also released a critical patch update for Java http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html 

The info in the Oracle bulletin is comprehensive and should allow you to identify what needs to be done fairly easily.  Both bulletins have the following wording in the work around section "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." For most of us not new (at least not on the java side), but maybe a strong argument if you get pushback on patching.

Happy patching, as always test before you implement.

Mark H - shearwater
 

Keywords: internet isc oracle patching sans security
2 comment(s)
Top of page

Top of page

Comments

I reported CVE-2012-3152 and CVE-2012-3153 to Oracle back in March and they just released a fix but from what I understand, they are only fixing future versions and not older ones. They said they would inform customers how to patch but I haven't seen any details.

The two vulnerabilities are trivial to exploit, one which allows you to use a web browser to grab files off of the system that the oracle account has access to. The other allows you to grab database passwords. All unauthenticated.

If you run Oracle Reports Servers it might be a good idea to make sure diagnostic output is disabled. That will mitigate the vulnerability.
posted by Dana Taylor, Thu Oct 18 2012, 13:16
Not seeing much news about this in the normal places (US-CERT, etc.), but this cycle also included 30 Java security holes.

I was first tipped off by this story:
https://krebsonsecurity.com/2012/10/critical-java-patch-plugs-30-security-holes/
posted by Jason R, Fri Oct 19 2012, 15:46

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Announcement!

IPv6 Support Added

Our iptables client now supports submitting IPv6 firewall logs.

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

UDP port 1434 directed attack to AS13489 IP ranges - by: Manuel Humberto Santander Pelaez (2013-05-24)

MoVP II - by: Adrien de Beaupre (2013-05-23)

Privilege escalation, why should I care? - by: Adrien de Beaupre (2013-05-22)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute