October 18, 2011

Oracle’s Q3 CPU Release

by Imperva CTO Amichai Shulman

Today, Oracle released their critical patch update (CPU).  The release contains fixes for 57 vulnerabilities, which is about average compared to the past.  It is also worth noting that this set of patches follows a different framework.  In the past, JRockit, originally an Oracle product was incorporated into the standard CPU cycle.  This time, it is part of the separate Java SE CPU cycle.  Also, Oracle has added a proprietary version of Linux to the standard CPU cycle. 

As usual Oracle's use of CVSS scoring system takes the scoring of most vulnerabilities down.  In the database product for example, some vulnerabilities are probably downplayed.  For example, the highest vulnerability is 6.5 out of 10 (CVE-2011-3525).  But this one should probably be higher because:

  • The effect is practically a full takeover of the database server.
  • It’s easy to exploit.

Another database vulnerability gets a 5.5 (CVE-2011-3512) but should be higher as well.  It’s probably a SQL injection vulnerability which is relatively easy to exploit and could lead to a catastrophic dump of the database's contents.


Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.