14 DAY TRIAL // The Critical Patch Update prepared by Oracle for the month of January 2015 focuses on fixing a total of 167 issues found in 48 of the company’s products.
The patches are scheduled to become available on Tuesday and the most severe of the problems received the maximum score of 10, as per the second version of the Common Vulnerability Scoring System (CVSS).
Serious backdoor risk to be addressed
Database security expert David Litchfield says that 11 of the bugs fixed in this update have been reported by him, one of them standing out in terms of severity.
In a tweet on Monday he said that the bug was discovered while checking the systems of a client. At first, he believed that a compromise had occurred and the attacker left a backdoor.
On closer inspection, Litchfield discovered that the backdoor was from Oracle, part of a seeded installation of the eBusiness Suite. It allowed admin privileges to regular users, meaning that with sufficient knowledge anyone could gain access to the databases.
19 fixes target Java issues
According to the pre-release announcement, one of the products affected by such a severe vulnerability is Java Standard Edition (SE).
In total, the program is to receive 19 repairs, with 14 of them being of particular significance because they present the risk of remote exploitation.
The developer says that these would allow a potential attacker to take advantage of them without having to provide a username and a password for authentication purposes.
Other Java components included on the list of repairs are Java SE Embedded and JRockit.
Oracle products with most fixes
The product that received the most attention from the developer is Oracle Fusion Middleware, which benefits from 35 new security patches, most of them (28) for vulnerabilities exploited remotely, without authentication of the potential attacker.
19 components of the product were impacted by the glitches, including Oracle Forms, Oracle HTTP Server, Oracle OpenSSO and Oracle Security Service. The highest CVSS Base Score affecting these components is 9.3.
Next in line is Oracle Sun Systems Products Suite, which is listed with 29 security improvements for components like Fujitsu M10-1, M10-4S Servers, M9000 Servers, Solaris, Solaris Cluster and SPARC Enterprise M3000.
Ten of the weaknesses allow remote exploitation without authentication. The most significant flaw received the maximum score of 10.
Needless to say that the company advises users to apply the fixes in the Critical Patch Update with the utmost urgency in order to avoid the risk of an attack.
The Critical Patch Update is delivered by Oracle on a quarterly basis; this year it is scheduled for January 20, April 14, July 14, and October 20.
On investigation, it turns out the "backdoor" is part of a seeded installation! I'm was flabbergasted. Still am.
— David Litchfield (@dlitchfield) January 19, 2015