Every 3 month I analyze the Oracle CPU with regards to the Oracle Database, but this time it’s different, there is nothing to write about (almost). There are only TWO fixes for the Database. This is the lowest number ever since the CPU program has started in 2005. Oracle, what happened? Did you throw in the towel on DBMS fixes? I know it’s not because the Database is finally fixed for good and secure. TeamSHATTER still has a list of open issues. This time around they shipped 78 security fixes over various product families. That’s the same number of total fixes they shipped last July. However, this time is the first time the CPU included MySQL fixes, 27 of them. The conclusion can only be that they continue to water down their resources focused on Oracle Database fixes. Now, let’s take a closer look at these two issues and see what they are all about:
- CVE-2012-0082: This is the more severe of the two issues with a rating of 5.5 using Oracles proprietary Partial+ rating, scoring availability as Complete will raise the score to 7.5. According to an Oracle support document and other publicly available information this patch will fix an issue with the database running out of System Change Numbers. Customers should apply this fix after making sure it does not have any side effects on their product environments.
What’s surprising about this issue is that it is included in a CPU. I would have expected this issue to be fixed in a Patch Set, not a CPU. However, it appears that this issue has been experienced in real world installations and thus probably got pushed up the food chain. - CVE-2012-0072: This issue affects the Oracle Listener. Similar to the previous issues, this issue is using ‘Partial+’ scoring. With a ‘Complete’ score, this will rank as an 8.7 and is exploitable remotely without authentication.
Two quick bullet points and I’m done. As they say ‘This was Easy’.
Now, if you are a MySQL DBA there is real work to be done. There are 27 security fixes announced in this CPU. To apply them you need to update your MySQL database to 5.0.95, 5.1.61 or 5.5.20 depending on the major release in use at your organization. In contrast to fixes to the Oracle Database, detailed information regarding the fixes can be found on the http://dev.mysql.com site. Section D. of the respective Reference Manual has a detailed change history. The issues to worry about the most are CVE-2012-0113, CVE-2012-0116, CVE-2012-0118, CVE-2012-0496 and CVE-2012-0484. All these issues allow for a breach of confidentiality over the network. Of course all of the issues should be treated with importance and all MySQL installations should be updated at the earliest possible time.