Oracle has released a lengthy list of updates to many products. descriptions are available here:
Of the 86 Oracle updates released there are a few high risk updates listed:
CVE-2012-3220 (effecting Oracle Database server products) represents the highest severity with risk score of 9.0 (for a windows hosted database server) out of a possible 10, for *nix based servers the score is lower at 6.5. There is a remote exploit, requiring authentication.
Oracle Mobile Database server products are next on the list with the following CVEs and CVSS base scores, all have remote exploits without authentication via HTTP
The two following CVEs effect MySQL servers with a CVSS score of 9.0 and a remote exploit with authentication:
The remainder of the updates listed have scores of 7.5 or lower, and represent a mix of remote and local exploits some without authentication.
In most cases well designed defense in depth will protect most middleware and backend database servers from direct exploit. Limiting which hosts can communicate with these systems using both network and host based firewalls to reduce the attack plane for the servers to exploits that run through the application (SQL injection or similar) helps mitigate these attack vectors. Database and middleware servers that can be reached from any remote hosts are at greater risk to attack. Applying vendor updates after testing the application in non-production environments is still best practice in all cases.
If you run any of these impacted systems and can report on your experience with these updates please share that with us, and I will update or post another diary covering these experiences.
Volunteer Handler, Internet Storm Center
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.