Oracle announced their Critical Patch Update for January 2015 today.
The CPU includes a fix for this troubling exploit in E-Business Suite found by David Litchfield where EBS grants index privileges on the (SYS-owned) DUAL table to the public role by default.
The database exploit with the highest
Homeland Security threat level is CVE-2014-6567 which could allow for pre-12c databases on Windows to be “entirely compromised”. If you’re not running pre-12c databases on Windows, the threat score is noticeably reduced, but still a 6.5.
In other news, 18.104.22.168.3 is out, should you live your life on the bleeding edge of technology. Quarterly Full Stack Download Patches for Exadata are referenced in the availability note but don’t yet link to public documents; no doubt they will soon.
SSL 3.0 is disabled by default in Java SE – thanks to POODLE (really), it’s now considered obsolete and SSL as a whole should be disabled as organizations “can no longer rely on SSL to ensure secure communications between systems”.
Quite a scary world out there, huh?
MOS reference notes: 1935468.1, 1942215.1