April 2018 Oracle Critical Patch Update

Oracle announced April  2018 Critical Patch Update. This patch includes  254 new security fixes. At the same, this patch contains a special addendum  which is called; Addendum to the January 2018 CPU Advisory for Spectre and Meltdown (Doc ID 2347948.1) about Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities.

Patch Availability Table for Spectre & Meltdown vulnerabilities
Affected Products Patch Availability
Oracle Audit Vault and Database Firewall [Product ID 9749] MOS note 2359424.1
Oracle Big Data Appliance [Product ID 9734] MOS note 2357485.1
Oracle Exadata Database Machine [Product ID 2546] MOS note 2356385.1
Oracle Exalogic Elastic Cloud [Product ID 9415] MOS note 2348852.1
Oracle Key Vault [Product ID 10221] MOS note 2366657.1
Oracle Linux [Product ID 1309] MOS note 2348448.1
Oracle Private Cloud Appliance [Product ID 10635] MOS note 2370398.1
Oracle Solaris Operating System [Product ID 10006] SPARC: MOS note 2349278.1, X86: MOS note 2383531.1
Oracle VM [Product ID 4455] MOS note 2348460.1
Oracle VM VirtualBox [Product ID 8370] MOS note 2339562.1
Oracle X86 Servers [Product ID Multiple] MOS note 2336753.1
Oracle ZFS Storage Appliance (ZFSSA) [Product ID 10026] MOS note 2371830.1
Zero Data Loss Recovery Appliance Software [Product ID 11342] MOS note 2356406.1

All details about  April 2018 CPU  can be found at this site :

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

If you want to get a brief information about this CPU  you can read  the below  MOS note

April 2018 Critical Patch Update: Executive Summary and Analysis (Doc ID 2383583.1)

In this note; We will focus on Oracle Database, Oracle Fusion Middleware and MySQL database products.

Let’s start with; Oracle Database. This patch includes 2 fixes for Oracle Database and one of these fixes is for Oracle Goldengate.As you see the number of the fixes is very low in this CPU. All vulnerabilities in Oracle Database can be remotely exploitable without authentication. You can find all details about these vulnerabilities in picture-1.

Capture

Capture

picture-1

If you look at fixes in Oracle Fusion Middleware products; You can see 39 new security fixes and 30 of these vulnerabilities may be remotely exploitable without authentication. Top critical fixes are given in picture – 2.

Capture

picture-2

For MySQL database, 33 new security fixes are released and 2 of these vulnerabilities may be remotely exploitable without authentication. Top fixes for MySQL is given in picture-3.

Capture

picture-3

As a result Fixes for Oracle Fusion Middleware products are very critical. But Oracle strongly recommends that; you should apply all these fixes as soon as earlier from this MOS note :  Database, Fusion Middleware, and Enterprise Manager Critical Patch Update April 2018 Patch Availability  Document 2353306.1. 

Thanks for reading this note.

Yusuf Anıl Akduygu

 

 

 

 

 

Advertisements

Oracle Critical Patch Update-October2017

Oracle announced  Critical Patch Update – October 2017 today. More or less this PSU  affects all Oracle Products.The general document that covers all information about October-2017 PSU is found in the Metalink.

Patch Set Update and Critical Patch Update October 2017 Availability Document (Doc ID 2296870.1)

At this note; we will focus on Oracle Database , Oracle WebLogic Server and Mysql products.

Let’s start with Oracle Database;

This PSU contains two important new security fixes for Oracle database. With these vulnerabilities , Oracle database may be exploited over a network without requiring user credentials. The base score of these vulnerabilities is 8.8. If you compare these scores with July-2017 PSU, these scores are low.

Actually , there are 6 new security fixes at this PSU. But I will show only two critical fixes at this note.

Screen Shot 2017-10-18 at 22.15.55

If you want to apply these patches ; you can find them at Metalink

For Oracle Database 12.2.0.1

Patch 26636246: COMBO OF OJVM RU COMPONENT 12.2.0.1.171017 + GIRU 12.2.0.1.171017

For Oracle Database 12.1.0.2

Patch 26636270: COMBO OF OJVM COMPONENT 12.1.0.2.171017 DBPSU + DBPSU 12.1.0.2.171017

For Oracle Database 11.2.0.4

Patch 26636315: COMBO OF OJVM COMPONENT 11.2.0.4.171017 DB PSU + DB SPU 11.2.0.4.171017

Continue with Oracle Fusion Middleware. The Base score for this product starts from 9.8. It is very high if you compare to Oracle Database. Screen Shot 2017-10-18 at 22.26.30

 

If you want to install this PSU. You can find patch from Doc ID 2296870.1

Patch number for Oracle WebLogic Server are given below.

Screen Shot 2017-10-18 at 22.28.24

Now go on with MySQL; It is base score is lower than Oracle Database and two of them are criticalScreen Shot 2017-10-18 at 22.32.33

As a result; I advice you to apply this PSU as soon as earlier.

Oracle July 2017 Critical Patch Update

Oracle July 2017 Critical Patch Update (CPU)  has been released on this page. This CPU includes 308 new security fixes across all Oracle products. A Critical Patch Update (CPU) is a collection of patches for  security vulnerabilities and these are released in cumulative manner.

In  Document ID 2282980.1 ( metalink note ) you can find Executive Summary and Analysis for Oracle 2017 july CPU.

At this note; I will give brief information about the critical vulnerabilities which are solved in this CPU.  I especially will give information about very critical vulnerabilities. The importance of the vulnerabilities are scored by  Common Vulnerability Scoring System v3.0 and according to this classification the CVVS score between 9 and 10 is called critical vulnerabilities.  The important point of these vulnerabilities is you can compromise a  system without authentication on the network.

Let’s start with Database CPUs

In this patch there is a solution for CVE-2017-10202;  Vulnerability in the OJVM component of Oracle Database Server.  This vulnerability remotely exploitable without authentication. It is CVVS score is 9.9 and it is very high if you compare this score with other patches in 2017 . This is the maximum score in 2017.

Capture

And if you look at ; Oracle Fusion Middleware patches you will see; CVE-2017-10137 (JINDI)  CVSS Base Score: 10.0 . By HTTP protocol intruder can easily compromise  Oracle WebLogic Server without authentication.

Capture

And another very important patches for MYSQL database is CVE-2016-4436 (Apache Struts 2). It is score is 9.9. An  attacker can compromise MYSQL database via  HHTP over TLS without authentication

Capture

As you see ; there are very important solutions for security vulnerabilities in July-2017 CPU. Therefor I advice you to  apply this CPU in mean time.