Oracle Critical Patch Update-October2017

Oracle announced  Critical Patch Update – October 2017 today. More or less this PSU  affects all Oracle Products.The general document that covers all information about October-2017 PSU is found in the Metalink.

Patch Set Update and Critical Patch Update October 2017 Availability Document (Doc ID 2296870.1)

At this note; we will focus on Oracle Database , Oracle WebLogic Server and Mysql products.

Let’s start with Oracle Database;

This PSU contains two important new security fixes for Oracle database. With these vulnerabilities , Oracle database may be exploited over a network without requiring user credentials. The base score of these vulnerabilities is 8.8. If you compare these scores with July-2017 PSU, these scores are low.

Actually , there are 6 new security fixes at this PSU. But I will show only two critical fixes at this note.

Screen Shot 2017-10-18 at 22.15.55

If you want to apply these patches ; you can find them at Metalink

For Oracle Database 12.2.0.1

Patch 26636246: COMBO OF OJVM RU COMPONENT 12.2.0.1.171017 + GIRU 12.2.0.1.171017

For Oracle Database 12.1.0.2

Patch 26636270: COMBO OF OJVM COMPONENT 12.1.0.2.171017 DBPSU + DBPSU 12.1.0.2.171017

For Oracle Database 11.2.0.4

Patch 26636315: COMBO OF OJVM COMPONENT 11.2.0.4.171017 DB PSU + DB SPU 11.2.0.4.171017

Continue with Oracle Fusion Middleware. The Base score for this product starts from 9.8. It is very high if you compare to Oracle Database. Screen Shot 2017-10-18 at 22.26.30

 

If you want to install this PSU. You can find patch from Doc ID 2296870.1

Patch number for Oracle WebLogic Server are given below.

Screen Shot 2017-10-18 at 22.28.24

Now go on with MySQL; It is base score is lower than Oracle Database and two of them are criticalScreen Shot 2017-10-18 at 22.32.33

As a result; I advice you to apply this PSU as soon as earlier.

Advertisements

Oracle July 2017 Critical Patch Update

Oracle July 2017 Critical Patch Update (CPU)  has been released on this page. This CPU includes 308 new security fixes across all Oracle products. A Critical Patch Update (CPU) is a collection of patches for  security vulnerabilities and these are released in cumulative manner.

In  Document ID 2282980.1 ( metalink note ) you can find Executive Summary and Analysis for Oracle 2017 july CPU.

At this note; I will give brief information about the critical vulnerabilities which are solved in this CPU.  I especially will give information about very critical vulnerabilities. The importance of the vulnerabilities are scored by  Common Vulnerability Scoring System v3.0 and according to this classification the CVVS score between 9 and 10 is called critical vulnerabilities.  The important point of these vulnerabilities is you can compromise a  system without authentication on the network.

Let’s start with Database CPUs

In this patch there is a solution for CVE-2017-10202;  Vulnerability in the OJVM component of Oracle Database Server.  This vulnerability remotely exploitable without authentication. It is CVVS score is 9.9 and it is very high if you compare this score with other patches in 2017 . This is the maximum score in 2017.

Capture

And if you look at ; Oracle Fusion Middleware patches you will see; CVE-2017-10137 (JINDI)  CVSS Base Score: 10.0 . By HTTP protocol intruder can easily compromise  Oracle WebLogic Server without authentication.

Capture

And another very important patches for MYSQL database is CVE-2016-4436 (Apache Struts 2). It is score is 9.9. An  attacker can compromise MYSQL database via  HHTP over TLS without authentication

Capture

As you see ; there are very important solutions for security vulnerabilities in July-2017 CPU. Therefor I advice you to  apply this CPU in mean time.