Security experts are urging Oracle customers to move quickly on deploying the quarterly Critical Patch Update (CPU) released by the company yesterday, as the updates include fixes for a number of very high-risk vulnerabilities within the Oracle's Fusion Middleware and database product portfolios.

Overall, the CPU included 87 patches across its product lines. Chief among the concerns is a CVSS level 10 vulnerability in JRockit and several database vulnerabilities that could leave users open to denial-of-service (DoS) attacks.

[ Is Oracle doing a good job keeping databases patched? See 7 Ways Oracle Puts Database Customers At Risk. ]

"It’s a shock to have such a critical issue with a risk score of 10 in the core component of Oracle’s Fusion Middleware platform," says Jaime Ryan, partner solutions architect at Layer 7 Technologies. "This raises concerns about data leaks in major enterprise applications. With today’s trend of exposing internal assets to external partners and mobile devices, the integrity of corporate data is at risk."

JRockit, a Java Virtual Machine built into Oracle Fusion Middleware, is left extremely vulnerable to remote attack without this current patch. It is the second CPU in a row where patches to this application topped the priority list.

"It was unfortunate that JRockit was the highest rated vulnerability two CPUs in a row," says Marcus Carey, security researcher at Rapid7. "This happens many times when researchers and attackers turn their attention to software after highly publicized vulnerabilities, such as April’s CPU."

From a database perspective, the CPU included fixes for seven Oracle Database Server vulnerabilities and six MySQL vulnerabilities, with one from each group rated with a CVSS score of 6.8. Carey believes the MySQL vulnerabilities should be of most concern to organizations.

"MySQL vulnerabilities may be the most impactful from a database security perspective," he says. "In fact, some recent research we recently conducted revealed that of the 1.74 million MySQL servers identified, slightly more than 50 percent did not enforce host-based access controls."

He warns that given the ubiquity of the platform, MySQL vulnerabilities, in general, should always be given extra attention no matter what the vulnerability severity.

"In the case of yesterday’s fixes, they were all related to denial-of-service vulnerabilities. We know that there is an abundant amount of poorly designed and implemented systems that allow connection to MySQL from the Internet," Carey says. "Targeted attacks could definitely cause major outages in those cases."

Though not directly a database vulnerability, an Oracle Application Express Listener vulnerability rated 7.8 should also give pause to an organization's data security team. Though he says Oracle has not given enough details about its vulnerabilities to know exactly what the vulnerabilities entail, Imperva CTO Amichai Shulman believes that three of the database vulnerabilities also have links to TNS Listener functionality, a detail he finds disconcerting

"There are very few details about the individual vulnerabilities, as usual with Oracle," he says. "However, I would say that having three new vulnerabilities in a straightforward, allegedly mature component such as the Oracle TNS Listener -- which I assume CVE-2012-1745, CVE-2012-1746, and CVE-2012-1747 are -- is an alarming point."

Shulman and others within the database security community have long been critical of Oracle for the scanty details given about vulnerabilities included in its CPUs. He believes that more information is necessary for organizations as they plan their patch testing and deployment, a sometimes lengthy process in the touchy mission-critical database environment.

"If Oracle would disclose enough details, I would probably have some ideas for external workarounds," Shulman says. "However, Oracle is persistently hiding technical details about vulnerabilities, denying any solution that is not patching."

Regardless, Ryan says these database vulnerabilities reinforce the importance of robust network and application security regimens.

"Databases should only be accessible from well-protected network segments, and the applications that use the data need to be carefully protected against external threats," he says. "Strict session breaks, identity validation, and data verification are all important segments of application security. Enterprises should work with vendors that consider security a number one priority, even if that means adding an extra gateway layer in front of exposed applications."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.