The Oracle Critical Patch Update (CPU) advisory for July has been issued with a total of 87 security patches across the company's overall product portfolio.
The most notable vulnerability involves Oracle JRockit, (CVE-3135), which is listed with a base score of 10.0, the highest and most critical rating available.
"This is like a perfect storm," said Marcus Carey, security researcher at Rapid7. "You can access it over multiple protocols, and it opens you up to remote exploits without a password. It can be accessed across the network unless there is an access controller in the middle to block the attempt. And, the attacker can get control over the full range of data. So this would, in essence, be 'game over.'"
Two vulnerabilities in the bulletin are rated at 7.8 on the same scale of 10. The first, CVE 1740, involves Oracle Application Express Listener. "Someone could use regular web protocols to contact the server and do a remote exploit without authentication," Carey explained. "Plus, the complexity of the attack is rated as 'low,' meaning that your kid could probably do it."
Also rated at 7.8 is CVE 3192, which impacts Oracle's Secure Backup Apache Component. This is another low complexity attack in which systems can be accessed over the web without authentication to gain full data control.
CVE 1737 tips the scales with a 6.8 critical rating and involves Oracle Enterprise Manager Grid Control. It is similar in that the exploit involves remote exploit without authentication, yet it's different because the complexity of the attack is somewhat higher, and it does not provide access to the full range of data. Another 6.8 rating goes to CVE 1731, a Siebel CRM vulnerabilities with characteristics similar to CVE 1737.
CVE 3126 is used against Solaris Cluster via the Apache Tomcat Agent. It, too, results in system compromise, it but can only be executed locally. There are also three other Solaris-related patches (3120, 4609, 3125), which have critical scores of 7.1 to 7.8.
"Organizations should look at this risk matrix and develop a strategy for dealing with them," advised Carey. "It's not just a matter of putting in the patches; it's also a matter of protecting the network access, which will reduce the exposure still further. If you build the network right, you can mitigate the risk without even having to worry about the patches. And so many of the servers are business-critical that it makes it difficult to patch because you don't want to take the system down. In fact, many of these patches are not going to be installed anytime soon at a variety of companies."
Under most circumstances, Oracle issues patches every three months. The next one is scheduled to take place in October.
PUBLISHED JULY 17, 2012