Oracle has released a mighty 219 new security patches, including one for an “easily exploitable” Oracle NoSQL vulnerability that scored a maximum of 10 on the CVSS scale* and which could result in complete database takeover.
An alarming 142 of this week’s total Oracle patches – released to users under Redmond’s quarterly patch cycle – are remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The Oracle NoSQL vulnerability affects versions up to 19.3.12.
While the vulnerability (given CVE-2018-14721) is in Oracle NoSQL Database, attacks may “significantly impact additional products”, Oracle said late Tuesday, adding that “successful attacks… can result in takeover of Oracle NoSQL Database”.
The patch, based on the CVE, appears to be a belated fix of a well-known bug in jackson-databind, a widely used Java library to parse JSON and other data formats.
Issues with this library impacted a range of products from other vendors, with an upgrade of jackson-databind packages available since May. It was unclear, given its CVSS score, why this has only just been fixed in the NoSQL product.
*Oracle security vulnerabilities are scored using CVSS version 3.0
Among the other patches are 34 for the widely used Oracle MySQL database.
These include nine for vulnerabilities that are remotely exploitable without authentication, including a 9.8-rated critical vulnerability in MySQL Workbench (an integrated development environment for the MySQL database system). No privileges are required to execute an attack based on this vuln, which affects versions up to 8.0.17.
This has the CVE-2019-8457 and, again, appears to be a fix for a bug in the open source SQLite3 (from 3.6.0 to and including 3.27.2) which is vulnerable to “heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.”
Other notable patches include 12 new security patches for Oracle Systems, with one, again, rated 9.8 that fixes a severe vulnerability in XCP Firmware (cURL).
The issue, given CVE-2018-1000007, affects Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2 and M12-2S Servers and can be remotely exploited over numerous protocols.
Another critical patch is for the Oracle Banking Platform. With the CVSS score of a critical 9.8 and remote exploitability without credentials, it has the CVE-2019-14379 and, again, related to a bug in jackson-databind that affected numerous other products.
The Oracle Patches, in Total
The updates also include:
- 11 new security patches for the Oracle Database Server
- 13 new security patches for Oracle Construction and Engineering
- 10 new security patches for the Oracle E-Business Suite
- 7 new security patches for Oracle Enterprise Manager
- 7 new security patches for Oracle Financial Services Applications.
- 7 new security patches for Oracle Food and Beverage Applications
- 37 new security patches for Oracle Fusion Middleware
- 3 new security patches for Oracle GraalVM.
- 2 new security patches for Oracle Health Sciences Applications.
- 3 new security patches for Oracle Hospitality Applications
- 3 new security patches for Oracle Hyperion
- 20 new security patches for Oracle Java SE
- 1 new security patch for Oracle JD Edwards.
- 34 new security patches for Oracle MySQL
- 3 new security patches for Oracle PeopleSoft
- 4 new security patches for Oracle Policy Automation.
- 12 new security patches for Oracle Retail Applications
- 4 new security patches for Oracle Siebel CRM
- 12 new security patches for Oracle Systems
- 3 new security patches for Oracle Supply Chain
- 2 new security patches for Oracle Support Tools
- 11 new security patches for Oracle Virtualization
Among those with credits for the bug finds were Andrej Simko of Accenture with eight finds, Andrzej Dyjak of sigsegv.pl with six finds, anhdaden of Singapore’s STAR Labs with three finds and Alexander Kornbrust of Red Database Security with three finds.
See also: Amazon Kisses Goodbye to Last of 7,500 Oracle Databases