Oracle dropped a bomb today on DBAs everywhere: the January 2012 CPU addresses 79 vulnerabilities! Affected Oracle products range from the 10g and 11g releases of Oracle Database, to WebLogic, VirtualBox, and even MySQL. One of the Oracle Database patches fixes a vulnerability that is remotely exploitable without authentication. In other words, PATCH NOW! (After testing, of course.)

Hopefully, your Oracle applications are properly secured from general access on the Internet. Generally speaking, databases should be locked down to be only accessible from application servers, which should only be accessible from front-end web servers. If your Oracle DB is accessible from the Internet, you might want to re-think your architecture.

Internal network access to DBs and App Servers is probably less tightly controlled. In many instances, users may connect directly to the Oracle DB to run queries or a desktop application. So now, if one of your users has some malware that is permitting an external attacker to control the machine, your DB server is at risk. Just because your DBs are not exposed to the Internet does not mean you should downplay the threats addressed in this CPU. Remember, many data-loss attacks originate from an internal machine, not via an Internet-accessible machine.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts