86 Oracle Updates
	Oracle has released a lengthy list of updates to many products. descriptions are available here: 
	http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
Of the 86 Oracle updates released there are a few high risk updates listed:
CVE-2012-3220 (effecting Oracle Database server products) represents the highest severity with risk score of 9.0 (for a windows hosted database server) out of a possible 10, for *nix based servers the score is lower at 6.5. There is a remote exploit, requiring authentication.
	Oracle Mobile Database server products are next on the list with the following CVEs and CVSS base scores, all have remote exploits without authentication via HTTP
	CVE-2013-0361 10
	CVE-2013-0366 10
	CVE-2013-0362 7.8
	CVE-2013-0363 7.8
	CVE-2013-0364 7.8
	The two following CVEs effect MySQL servers with a CVSS score of 9.0 and a remote exploit with authentication:
	CVE-2012-5612
	CVE-2012-5611
The remainder of the updates listed have scores of 7.5 or lower, and represent a mix of remote and local exploits some without authentication.
In most cases well designed defense in depth will protect most middleware and backend database servers from direct exploit. Limiting which hosts can communicate with these systems using both network and host based firewalls to reduce the attack plane for the servers to exploits that run through the application (SQL injection or similar) helps mitigate these attack vectors. Database and middleware servers that can be reached from any remote hosts are at greater risk to attack. Applying vendor updates after testing the application in non-production environments is still best practice in all cases.
If you run any of these impacted systems and can report on your experience with these updates please share that with us, and I will update or post another diary covering these experiences.
	--
	Dan
	Volunteer Handler, Internet Storm Center
 
              
Comments