1. the process of sorting victims, as of a battle or disaster, to determine medical priority in order to increase the number of survivors.
2. the determination of priorities for action in an emergency.
As always, our focus at Threat Center is on remotely exploitable vulnerabilities. Our interest in privilege escalations and local attacks takes a back seat to vulnerabilities where an anonymous attacker could compromise your business.
Yesterday was Oracle's quarterly "Critical Patch Update" or CPU. This round they released 36 new security issues across the following products:
- Oracle Database
- Oracle Secure Enterprise Search
- Oracle Application Server
- Oracle Collaboration Suite
- Oracle E-Business Suite
- Oracle Enterprise Manager
- Oracle PeopleSoft Enterprise
In other words, just about every Oracle product is affected. The Suites listed above include numerous programs such as the Oracle Portal, Oracle Streams, Oracle iSupport, Oracle iStore, Oracle Applications Manager, Oracle Agent, and more. For details on all of the patches, view Oracle's security advisory. For a quick triage of the updates, read on below.
DB01 Core RDBMS Authentication Bypass on Windows
This flaw is specific to Oracle databases running on Windows machines that have "Simple File Sharing" enabled. Simple File Sharing allows a user to share files with anyone without the hassle of managing usernames and passwords. All users are authenticated as Guest regardless of the username or password they provide. If Oracle is configured to use OS-based authentication on a machine with Simple File Sharing enabled, then every attempt to authenticate against the database as any user will be successful. Hopefully if you're running Oracle Database on a Windows machine you aren't also doing any kind of file sharing, and especially not the free-for-all file sharing that is "Simple File Sharing."
David Litchfield has a paper with the full details.
DB05 Authentication Component Logon Trigger Bypass
Oracle Enterprise Manager
EM01 Oracle Agent Authentication Bypass
Oracle Application Server
AS04 and AS05 Oracle Portal Component Flaws
Oracle E-Business Suite
APSS02 Oracle iProcurement and APPS03 Oracle Report Manager
APPS05 and APPS06 Oracle iStore Parameter Tampering Issues
And that's it for the vulnerabilities that look serious to us. For the less serious vulnerabilities where authenticated users are able to gain elevated privileges, there are some exploits in the wild, so if you have strict trust settings, you will want to get going on installing these patches.
Of course we recommend installing all of the patches as soon as possible. If you need time to test the patches before installing, then start with the ones listed above.
Note from the sponsor: Many of the flaws that are fixed in this month's Oracle CPU center around SQL Injection and Cross Site Scripting. eSoft's Intrusion Prevention Softpak provides generic protection for many of these types of attacks. To prevent these types of attacks in the future, refer to eSoft's newest whitepaper, 10 Tips to Better Security.