TeamSHATTER: Analysis of the January 2012 Oracle CPU

Wednesday, January 18, 2012

Alexander Rothacker


Every 3 months I analyze the Oracle CPU with regard to the Oracle Database, but this time it’s different, there is nothing to write about (almost).

There are only TWO fixes for the Database.

This is the lowest number ever since the CPU program has started in 2005. Oracle, what happened? Did you throw in the towel on DBMS fixes? I know it’s not because the Database is finally fixed for good and is now suddenly secure.

TeamSHATTER still has a list of open issues. This time around they shipped 78 security fixes over various product families.

That’s the same number of total fixes they shipped last July. However, this is the first time the CPU included MySQL fixes, 27 of them.

The conclusion to be drawn can only be that they continue to water down their resources focused on Oracle Database fixes.

Now, let’s take a closer look at these two issues and see what they are all about:

  • CVE-2012-0082: This is the more severe of the two issues with a rating of 5.5 using Oracle’s proprietary Partial+ rating, scoring availability as Complete will raise the score to 7.5. According to an Oracle support document and other publicly available information this patch will fix an issue with the database running out of System Change Numbers. Customers should apply this fix after making sure it does not have any side effects on their product environments. What’s surprising about this issue is that it is included in a CPU. I would have expected this issue to be fixed in a Patch Set, not a CPU. However, it appears that this issue has been experienced in real world installations and thus probably got pushed up the food chain.
  • CVE-2012-0072: This issue affects the Oracle Listener. Similar to the previous issues, this issue is using ‘Partial+’ scoring. With a ‘Complete’ score, this will rank as an 8.7 and is exploitable remotely without authentication.

Two quick bullet points and I’m done. As they say ‘That was Easy’.

Now, if you are a MySQL DBA there is real work to be done. There are 27 security fixes announced in this CPU. To apply them you need to update your MySQL database to 5.0.95, 5.1.61 or 5.5.20 depending on the major release in use at your organization.

In contrast to fixes to the Oracle Database, detailed information regarding the fixes can be found on the site.

Section D of the respective Reference Manual has a detailed change history. The issues to worry about the most are CVE-2012-0113, CVE-2012-0116, CVE-2012-0118, CVE-2012-0496 and CVE-2012-0484. All these issues allow for a breach of confidentiality over the network.

Of course all of the issues should be treated with importance and all MySQL installations should be updated at the earliest possible time.

I am quite curious to see what the April 2012 CPU will bring us. I sure hope we see more than two Database fixes (other than MySQL).

With a record-setting low in this latest CPU, Oracle can rest easy knowing they don’t have much further to go to set any more records of indifference on the once important (to them) Database platform.

Cross posted from TeamShatter

Possibly Related Articles:
Databases Oracle Vulnerabilities Network Security TeamSHATTER MySQL CPU Alexander Rothacker DBMS CVE
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.