Oracle's January patches close 86 holes
As previously announced, Oracle has released its first Critical Patch Update for 2013. The patch collection offers 86 security fixes; the most serious of the holes had been given the highest Common Vulnerability Scoring System (CVSS) rating of 10.
These two holes (CVE-2013-0361, CVE-2013-0366) exist in Oracle Mobile Server, a component that was formerly called Oracle Lite 10g. They allow unauthenticated attackers to gain full control of a system remotely. Three other vulnerabilities (CVE-2013-0362, CVE-2013-0363, CVE-2013-0364) grant unauthenticated intruders remote access to the server's data. Versions 10 and 11 of the Mobile Server are affected.
Another hole (CVE-2012-3220) that gave attackers full access on Windows systems was closed in Oracle's Spatial database module. However, to exploit the hole, an attacker must be logged into the database server and possess the
CREATE TABLE privilege.
The greatest number of fixes affect Oracle's open source MySQL database, where the company closed 18 holes. Two of them (CVE-2012-5612, CVE-2012-5611) are buffer overflows that potentially allowed authenticated attackers to crash the server or execute arbitrary code. In the free MariaDB MySQL clone, these bugs were already fixed in December 2012. Oracle had released versions 5.1.67 and 5.5.29 of MySQL two weeks ago; these versions also fix the bug.
Other focal points of the latest Critical Patch Update are Enterprise Manager Grid Control (13 patches), PeopleSoft PeopleTools (12), Siebel CRM (10), Fusion (9) and Solaris (8). Oracle took almost a year to fix a bug in Fusion (CVE-2012-0022): The flaw in Apache's Tomcat application server was made public on 17 January 2012. The Apache developers had already released a fixed version in November 2011.