Oracle addresses 120+ vulnerabilities in massive April patch update

Oracle has published dozens of updates across its product line
Oracle has published dozens of updates across its product line

The April 2013 CPU covers 13 product groups – a sprawling update that will ensure that IT administrators have their hands full for some time to come.

“An accurate map of installed software will be crucial in applying these patches due to the large number of products covered,” said Wolfgang Kandek, CTO at Qualys, in a blog post. “We recommend starting with Internet exposed services first, and then moving by the CVSS scores attached to the vulnerability.”

He also grouped the updates by level of importance. The Oracle RDBMS product, for instance, has four updates with the highest possible CVSS score of 10, which means that an attacker could take full control of a machine via the vulnerability. “Organizations should place a high priority on mapping out whether they have exposed Oracle databases, and patch accordingly,” Kandek said.

Oracle’s Fusion product group has 29 vulnerabilities addressed, also with a top score of 10. “Patch as quickly as possible,” Kandek advised. “One of the vulnerabilities is in the Oracle Outside-In product, which is used by Microsoft Exchange server. It is scored at 6.8, which means we will see an Exchange update in the near future.”

Oracle Solaris is affected by 16 flaws with a top score of 6.4, with two vulnerabilities remotely exploitable, meaning that IT admins should focus on these two vulnerabilities as well in their patch priority list.

Oracle’s MySQL database, meanwhile, has 25 vulnerabilities addressed, with a maximum CVSS score of 6.9, a mid-level score that will give IT admins more time to react.

Other products updated include Peoplesoft, Supply-Chain, E-Business and CRM.

Outside of the CPU, Oracle also published a new version of Java that addresses 42 distinct vulnerabilities, with 19 having a score of 10. This update also addresses the vulnerabilities found during the Pwn2Own competition at CanSecWest in Vancouver during March, where Java was exploited by three different security researchers.

Oracle also changed the alerts that come up when running a Java applet, introducing distinct states giving overall more information on the nature of the applet. The new versions are update 21 for Java v7 and update 45 for Java v6.

What’s Hot on Infosecurity Magazine?