Last Updated: 2013-01-16 16:38:29 UTC
by Dan Goldberg (Version: 2)
Oracle has released a lengthy list of updates to many products. descriptions are available here:
Of the 86 Oracle updates released there are a few high risk updates listed:
The two following CVEs effect MySQL servers with a CVSS score of 9.0 and a remote exploit with authentication:
The remainder of the updates listed have scores of 7.5 or lower, and represent a mix of remote and local exploits some without authentication.
In most cases well designed defense in depth will protect most middleware and backend database servers from direct exploit. Limiting which hosts can communicate with these systems using both network and host based firewalls to reduce the attack plane for the servers to exploits that run through the application (SQL injection or similar) helps mitigate these attack vectors. Database and middleware servers that can be reached from any remote hosts are at greater risk to attack. Applying vendor updates after testing the application in non-production environments is still best practice in all cases.
If you run any of these impacted systems and can report on your experience with these updates please share that with us, and I will update or post another diary covering these experiences.
Volunteer Handler, Internet Storm Center