Oracle’s Critical Patch Update for January 2015

Oracle announced their Critical Patch Update for January 2015 today.

The CPU includes a fix for this troubling exploit in E-Business Suite found by David Litchfield where EBS grants index privileges on the (SYS-owned) DUAL table to the public role by default.

The database exploit with the highest Homeland Security threat level is CVE-2014-6567 which could allow for pre-12c databases on Windows to be “entirely compromised”.  If you’re not running pre-12c databases on Windows, the threat score is noticeably reduced, but still a 6.5.

In other news, 12.1.0.2.3 is out, should you live your life on the bleeding edge of technology.  Quarterly Full Stack Download Patches for Exadata are referenced in the availability note but don’t yet link to public documents; no doubt they will soon.

SSL 3.0 is disabled by default in Java SE – thanks to POODLE (really), it’s now considered obsolete and SSL as a whole should be disabled as organizations “can no longer rely on SSL to ensure secure communications between systems”.

Quite a scary world out there, huh?

MOS reference notes: 1935468.1, 1942215.1

Advertisements
Tagged

One thought on “Oracle’s Critical Patch Update for January 2015

  1. […] in the week, Oracle released patch set 12.1.0.2.3. I’m not sure why Oracle didn’t call 12.1.0.2 “12c Release 2 / 12.2″, as it […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: