“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible”, the company said in announcing the update.
Amol Sarwate, vulnerability labs manager for Qualys, attributed the large number of security fixes to Oracle’s acquisition of companies like Sun and PeopleSoft.
“The CPUs are becoming huge. But due to the diversity of affected products, our guess is that many larger organizations could have specialized teams working on different products in order to make the Oracle quarterly CPU a bit more manageable”, Sarwate said.
Marcus Carey, security researcher and community manager at Rapid7, identified seven “deadly” flaws in the Oracle update – CVE-2011-0873, CVE-2011-2239, CVE-2011-2253, CVE-2011-2261, CVE-2011-2285, CVE-2011-2288, and CVE-2011-2305 – that require immediate attention.
“Of these seven, the worst three are CVE-2011-0873, CVE-2011-2261, and CVE-2011-2288 as they are remotely exploitable with a low complexity to launch a successful attack. These big three do not require credentials to exploit. These are the type of attacks that are probably already being exploited in the wild”, Carey warned.
Amichai Shulman, chief technology officer at Imperva, criticized Oracle for its severity scoring of vulnerabilities.
“CVE-2011-2253 is rated as a 7.1 on the severity scale (CVSS score). However, it requires privileged SYSDBA to abuse this vulnerability which would place this problem much lower on most security professional’s priority list. Consequently, this should be scored lower. By contrast, CVE-2011-0835 and CVE-2011-0880 allow you to take over the entire database with just a valid set of credentials yet scores much lower at 6.5. Unfortunately, given the pervasiveness of the Oracle database, mislabelling the security impact of vulnerabilities can adversely affect the risk management process”, Shulman said.