Page 1 of 1

Oracle Critical Patch Update for October 2014

Posted: Tue Oct 21, 2014 8:46 am
by sam
Apply this CPU soon! I have never seen a warning from Oracle like this before:

*********************************************************************************************
Oracle released our quarterly security patch on 14 October and I'd like to bring it to your attention. This critical patch update should be given a high priority. During a meeting with our development team I heard this referred to as one of the most significant security patches to hit our database ever.

This quarter's patch includes fixes for 6 level "9" issues in the database dealing with the Oracle Database JVM. These includes fixes for database java issues that were discovered by a third-party security researcher. As a courtesy to our customers, this researcher is waiting for one month following our release of a patch (today) to publish his findings. Our customers need to begin work to get these patches in TODAY - the risk involved in not applying this security patch is very high, and none of our customers wants to be running unpatched versions of our database on 14 November 2014 when the security researcher that found these issues publishes.

In cases where a you can not apply the CPU/PSU within the next month you should at least evaluate the OJVM Mitigation Patch described in MOS note 1929745.1. This will lock down java in the database so that no new java stored procedures can be created, but will allow existing code to continue running. If you have java enabled in your database (and most of our customers do) you need to take action quickly. This issues impacts all versions of the database from Oracle 9i to the current release.

Please keep in mind that this quarter's CPU is not just another security patch - it should be very high on your priority list.
*********************************************************************************************
http://www.oracle.com/technetwork/topic ... 72960.html