Patch Your Oracle
January 19, 2012 | POSTED BY BRETT EDGAR IN SECURITY, ADVISORIES
Oracle dropped a bomb today on DBAs everywhere: the January 2012 CPU
addresses 79 vulnerabilities! Affected Oracle products range from the 10g and 11g releases of Oracle Database, to WebLogic, VirtualBox, and even MySQL. One of the Oracle Database patches fixes a vulnerability that is remotely exploitable without authentication. In other words, PATCH NOW! (After testing, of course.)
Hopefully, your Oracle applications are properly secured from general access on the Internet. Generally speaking, databases should be locked down to be only accessible from application servers, which should only be accessible from front-end web servers. If your Oracle DB is accessible from the Internet, you might want to re-think your architecture.
Internal network access to DBs and App Servers is probably less tightly controlled. In many instances, users may connect directly to the Oracle DB to run queries or a desktop application. So now, if one of your users has some malware that is permitting an external attacker to control the machine, your DB server is at risk. Just because your DBs are not exposed to the Internet does not mean you should downplay the threats addressed in this CPU. Remember, many data-loss attacks originate from an internal machine, not via an Internet-accessible machine.