Oracle is urging customers to apply the April 2012 Critical Patch Update (CPU), which addresses a number of 88 security holes that affect several products.
The affected pieces of software include versions of Oracle Database, Oracle Application Server, Oracle BI Publisher, Oracle DB UM Connector for Oracle Identity Manager, Oracle Identity Manager, Oracle JDeveloper, Oracle JRockit, Oracle PeopleSoft Enterprise, Enterprise Manager Grid Control, and even Oracle MySQL Server.
Three of the vulnerabilities that affect components from the Oracle Database Server suite could be exploited remotely even if the attacker doesn’t possess authentication credentials.
The CPU contains 11 fixes for Oracle Fusion Middleware products, 9 of which can also be leveraged remotely and without the need of a username and a password.
A number of 6 vulnerabilities are addressed in Oracle Enterprise Manager Grid Control products and 4 security holes in the Oracle E-Business Suite. All of the 4 flaws that affect the latter can be remotely exploited.
Fortunately, none of the weaknesses present in Oracle MySQL software can be used remotely and without authentication.
While they’re not recommended as long-term solutions, companies which for diverse reasons cannot apply the CPU fixes, can rely on a number of workarounds. To reduce the risk of successful cybercriminal operations, Oracle customers are advised to block the network protocols that may be used in attacks.
Also, the removal of rights from users who don’t necessarily require them is a good way of preventing attacks that need certain privileges.
As for the individuals that reported the vulnerabilities to Oracle, the list mentions Alexander Kornbrust from Red Database Security, and Andrea Micalizzi collaborating with TippingPoint's Zero Day Initiative.
TippingPoint DVLabs’ Brian Gorenc, Peter Maklary of LYNX, Shrikant Antre and Sunil Yadav from Network Intelligence, Sow Ching Shiong, who reported his findings through Secunia, and many others have also been credited.