Ah, time flies when you’re having fun. It seams that only yesterday we worked on the October CPU and now Oracle released the January CPU.

This time, Oracle acknowledged 24 security fixes, 9 of them in the database layer. This number is a bit lower than the average but as in the previous CPU, you have a vulnerability that can be exploited remotely without authentication to take control of the machine (on Windows) or the Oracle account (on *nix).

Analyzing the CPU provides an interesting story. As always, Oracle talks about x vulnerabilities but actually patches y (which is much bigger than x). In this CPU, we’ve already analyzed more than 15 different vulnerabilities and we’re still counting!

Based on the severity of some of the vulnerabilities, if you have one of the supported versions you know you need to patch!
It’s also important to understand that if you have any 9i, 10gR1, 10gR2 or 11gR1 you’re vulnerable. Oracle just provides CPUs to the latest patch-sets.

I’m happy to see three Sentrigo researchers were credited in this CPU (including myself!). Go Red Team!

Of course, Sentrigo customers are already protected against many of the vulnerabilities using our own vPatches and we will release updated vPatches to cover the others.

In this case, my advice to wait a week to make sure that there are no issues with the patch and then patch as soon as possible since the vulnerabilities are so severe. Patch as soon as possible – but only after ensuring that your applications are not breaking.

If you can’t patch quickly or unable to patch at all due to valid reasons , try virtual patching as a stop-gap solution.