Oracle Critical Patch Update January 2013 Review

Oracle has provide his Critical Patch Update (CPU) for January 2013 how has been released on Tuesday, January 15. This CPU contains 86 security vulnerability fixes across 24 of Oracle products. On the 86 security vulnerabilities 45 of them may be remotely exploitable without authentication. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0 and concern Oracle Database Mobile. 9 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Oracle Database Server

One vulnerability is reported for “Oracle Database Server”. CVE-2012-3220 vulnerability has a CVSS score of 9.0. Affected component is “Spatial” and exploitation require authentication. CVSS score is 9.0 for Windows platform and 6.5 for Linux and Unix.

Oracle Database Mobile/Lite Server

5 vulnerabilities are reported for “Oracle Database Mobile/Lite Server“, all of them are remotely exploitable without authentication. The highest CVSS score is 10.0. Affected component is “Mobile Server“.

CVE-2013-0361 and CVE-2013-0366 have a CVSS base score of 10.0CVE-2013-0362CVE-2013-0363 and CVE-2013-0364 have a CVSS base score of 7.8.

Oracle Fusion Middleware

6 vulnerabilities are reported for “Oracle Fusion Middleware” and 4 of them may be remotely exploitable without authentication. The highest CVSS score of this vulnerability is 5.0. Affected component is “Management Pack for Oracle GoldenGate“, “Oracle GoldenGate Veridata“, “Oracle WebLogic Server“, “Oracle Access Manager“, “Oracle Application Server Single Sign-On” and “Oracle Outside In Technology“.

CVE-2012-0022 and CVE-2011-5035 have a CVSS base score of 5.0CVE-2012-5097 and CVE-2012-1677 have a CVSS base score of 4.3CVE-2013-0393 and CVE-2013-0418 have a CVSS base score of 2.1.

Oracle Enterprise Manager Grid Control

13 vulnerabilities are reported for “Oracle Enterprise Manager Grid Control” and all of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.5. Affected components are “APM – Application Performance Management” and “Enterprise Manager Base Platform“.

CVE-2013-0359 has a CVSS base score of 7.5CVE-2013-0360 and CVE-2013-0396 have a CVSS base score of 5.0CVE-2013-0352CVE-2013-0374CVE-2013-0355CVE-2013-0372CVE-2013-0373CVE-2013-0353CVE-2013-0354CVE-2013-0358CVE-2012-3219 and CVE-2012-5062 have a CVSS base score of 4.3.

Oracle E-Business Suite

9 vulnerabilities are reported for “Oracle E-Business Suite” and 7 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.4. Affected components are “Oracle Applications Framework“, “Oracle CRM Technical Foundation“, “Oracle Marketing“, “Oracle Universal Work Queue“, “Human Resources“, “Oracle Applications Technology Stack” and “Oracle Payroll“.

CVE-2013-0397CVE-2013-0381CVE-2013-0382 and CVE-2012-3190 have a CVSS base score of 6.4CVE-2012-3218 has a CVSS base score of 5.5CVE-2013-0376CVE-2013-0377 and CVE-2013-0380 have a CVSS base score of 4.3CVE-2013-0390 has a CVSS base score of 2.1.

Oracle Supply Chain Products

One vulnerability is reported for “Oracle Supply Chain Products” and CVE-2013-0370 has a CVSS base score of 2.1. Affected component is “Oracle Agile PLM Framework“.

Oracle PeopleSoft Products

12 vulnerabilities are reported for “Oracle PeopleSoft Products” and 7 of them may be remotely exploitable without authentication. The highest CVSS base score of these vulnerabilities is 5.5. Affected component are “PeopleSoft PeopleTools” and “PeopleSoft HRMS“.

CVE-2013-0369 and CVE-2013-0391 have a CVSS base score of 5.5CVE-2013-0394 has a CVSS base score of 5.0CVE-2013-0388CVE-2013-0356CVE-2013-0357CVE-2012-1755CVE-2013-0387CVE-2012-5059 and CVE-2013-0392 have a CVSS base score of 4.3CVE-2013-0395 has a CVSS base score of 4.0CVE-2012-3192 has a CVSS base score of 3.5.

Oracle JD Edwards Products

One vulnerability is reported for “Oracle JD Edwards Products” and CVE-2012-1678 has a CVSS base score of 3.5. Affected component is “JD Edwards EnterpriseOne Tools“.

Oracle Siebel CRM

10 vulnerabilities are reported for “Oracle Siebel CRM” and 5 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.0. Affected component is “Siebel CRM“.

CVE-2012-1701CVE-2012-3170 and CVE-2012-3169 have a CVSS base score of 5.0CVE-2013-0378 and CVE-2013-0379 have a CVSS base score of 4.3CVE-2013-0365CVE-2012-1680CVE-2012-3172CVE-2012-3168 and CVE-2012-1700 have a CVSS base score of 4.0.

Oracle Sun Products Suite

8 vulnerabilities are reported for “Oracle Sun Products Suite” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.6. Affected components are “Solaris” and “Sun Storage Common Array Manager (CAM)“.

CVE-2013-0400 and CVE-2013-0399 have a CVSS base score of 6.6CVE-2013-0415 has a CVSS base score of 6.0. CVE-2013-0417 has a CVSS base score of 5.0CVE-2013-0407 has a CVSS base score of 3.6CVE-2012-0569 and CVE-2013-0414 have a CVSS base score of 3.3CVE-2012-3178 has a CVSS base score of 2.1.

Oracle Virtualization

One vulnerability is reported for “Oracle Virtualization” and CVE-2013-0420 has a CVSS base score of these vulnerabilities is 2.4. Affected component is “VirtualBox“.

Oracle MySQL

18 vulnerabilities are reported for “Oracle MySQL” and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 9.0. Affected components are “MySQL Server“.

CVE-2012-5612 and CVE-2012-5611 have a CVSS base score of 9.0CVE-2012-5060CVE-2013-0384CVE-2013-0389 and CVE-2013-0386 have a CVSS base score of 6.8CVE-2013-0385 has a CVSS base score of 6.6CVE-2013-0375 has a CVSS base score of 5.5CVE-2012-1702 has a CVSS base score of 5.0CVE-2013-0383 has a CVSS base score of 4.3CVE-2013-0368CVE-2012-0572, CVE-2013-0371CVE-2012-0574CVE-2012-1705CVE-2012-0578 and CVE-2013-0367 have a CVSS base score of 4.0CVE-2012-5096 has a CVSS base score of 3.5.