News

Oracle Issues Security Fixes for MySQL, Other Database Products

• By David Ramel
• January 18, 2013

Database developers were put on watch this week as Oracle issued a Critical Patch Update targeting 86 security vulnerabilities, including 18 for its MySQL database products.

Also affected are Oracle Database 11g Release 2 and earlier versions, Oracle Database Mobile Server and Oracle Database Lite Server.

The security vulnerabilities for MySQL, which Oracle acquired when it purchased Sun Microsystems in 2009, range in severity from 3.5 to 9.0 on the standard CVSS Base Score risk index. Two of the MySQL vulnerabilities can be exploited remotely by attackers with no authorization/authentication credentials.

Two Mobile/Lite products were rated 10.0 on the CVSS scale.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," Oracle said in its January 2013 patch update advisory.

The MySQL vulnerabilities affect subcomponents such as InnoDB, server optimization, parsing, privileges, stored procedures, replication and others. Oracle said successful attacks that exploit these vulnerabilities can result in OS hangs, denial-of-service crashes and, most seriously, OS takeovers and execution of arbitrary code. Server privileges and server parsing were the MySQL subcomponents receiving the highest security risk grade of 9.0, although that rating is only for Windows-based products, with Linux, Unix and other platform products receiving a lower risk rating.

Other Oracle products affected by the January 2013 patch update include E-Business Suite, PeopleSoft products, JD Edwards products, Siebel CRM, Fusion Middleware and several others.

Oracle also provided some temporary workaround guidance until the patch updates can be applied. "Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack," Oracle said. "For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem."

Oracle issues critical patch updates four times each year, in January, April, July and October.