Oracle's critical patch update includes 'game-over' vulnerabilities

In every patched software piece, one or more vulnerabilities being patched may be remotely exploitable without authentication, i.e., can be exploited over a network without the need for a username and password. That means that administrators at enterprises running Oracle paid and free software need to swing into action to update their installations immediately. But some software is more critical than others, according to Marcus Carey, security researcher at security risk intelligence provider Rapid7. Specifically, he said Oracle Database Server's Core RDBMS, Oracle JRockit and MySQL Server need particular attention.

Out of all of them, the MySQL vulnerabilities may have the most impact across the internet. Approximately 3 million MySQL servers were discovered during a recent internet-wide scan, Carey said, contacting Infosecurity via email. Out of those, about 1.5 million of those don't have host access control lists (ACLs) and are vulnerable to the type of remote exploits that were patched this cycle.

MySQL Server receives fixes for 14 vulnerabilities in the CPU, the highest having a CVSS score of 9.0, on a scale of 1-10, indicating threat level. And two vulnerabilities may be remotely exploitable without authentication. Combining both issues, CVE-2012-3158, rated 7.5, is the most severe MySQL vulnerability that is remotely exploitable, and doesn't require authentication. According to Oracle, an attack through this vector could lead to a significant compromise of confidentiality, integrity and availability of systems.

“Many would argue that CVE-2012-3158 could be rated higher,” said Carey.

Meanwhile, Oracle Database Server's Core RDBMS and Oracle JRockit both have a base score of 10.0, and should be patched as soon as possible, he warned.

For both, “a successful attack would result in the complete compromise of the system’s confidentiality, integrity and availability,” he warned, adding that when a vulnerability is rated 10.0 on the CVSS scale it is essentially “game over” if an attacker can reach the device over the internet or intranet.

Carey also commented on what was not included in the CPU. In light of the recent Java zero-day attack, “many were anticipating that Oracle would patch Java Runtime Environment (JRE), which they did with Java Runtime Environment Version 7 Update 9 and Version 6 Update 37,” he said. “I advise everyone who needs Java to update as soon as possible.”

What’s Hot on Infosecurity Magazine?