Oracle Corp. released fixes Tuesday for multiple security holes in Enterprise Manager, Database Server and Application Server. It was the first security update in the company's new monthly patching cycle.
"Providing customers with information and workarounds for security vulnerabilities is vital to protecting information systems," Oracle said in a statement Tuesday. "To that end, Oracle is informing customers that potential security vulnerabilities have been discovered in Oracle's Database and Application Server and Enterprise Manager products. Oracle recommends that customers apply patches for these potential vulnerabilities."
The Redwood Shores, Calif.-based company said the vulnerabilities affect:
- Oracle Database 10g Release 1, version 10.1.0.2
- Oracle9i Database Server Release 2, versions 126.96.36.199 and 188.8.131.52
- Oracle9i Database Server Release 1, versions 184.108.40.206, 220.127.116.11 and 9.0.4
- Oracle8i Database Server Release 3, version 18.104.22.168
- Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
- Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
- Oracle Application Server 10g (9.0.4), versions 22.214.171.124 and 126.96.36.199
- Oracle9i Application Server Release 2, versions 188.8.131.52 and 184.108.40.206
- Oracle9i Application Server Release 1, version 220.127.116.11
Oracle said of the vulnerabilities in the Database and Application servers, "The unpatched exposure risk is high; exploiting some of these vulnerabilities requires network access, but no valid user account." Of the Enterprise Manager vulnerabilities, the company said, "The unpatched exposure risk is medium; exploiting these vulnerabilities requires a valid operating system user account on the Enterprise Manager host."
Some patches "eliminate vulnerabilities in the Database Server and the Listener." Others plug holes "in the Portal and iSQL*Plus components of Oracle Application Server." The rest fix vulnerabilities in Enterprise Manager. The security bulletin does not outline what the specific security holes are or what an attacker could accomplish by exploiting them. But David Litchfield, a researcher at U.K.-based NGSSoftware, discussed the vulnerabilities his company discovered at length during July's Black Hat Briefings in Las Vegas. Generally, he said, the flaws have to do with the Procedural Language/Structured Query Language and its triggers. One flaw allows an attacker to gain control of the database server without a userID or password, while others could allow a low-privileged user to take over the database server.
Oracle's bulletin added that "all Collaboration Suite customers should apply the Oracle Database patches to their Information Storage database and the Oracle Application Server-embedded database. Collaboration Suite customers should also apply the application server patch to the Oracle Application Server infrastructure installation and to each Collaboration Suite middle tier installation. Collaboration Suite customers that have upgraded their Information Storage database to version Oracle Database 10g Release 1, version 10.1.0.2 should also apply the Enterprise Manager patch."
Further, it said, "E-Business Suite Release 11i customers should apply the available Oracle Database patches to their current Oracle Database Servers, which should be one of the following: Oracle8i Database Server Release 3, version 18.104.22.168; Oracle9i Database Server Release 2, version 22.214.171.124; and Oracle9i Database Server Release 2, version 126.96.36.199. E-Business Suite Release 11i customers should also apply the Oracle Application Server patch to their current Oracle Application Server releases, which should be one of the following: Oracle9i Application Server Release 1, version 188.8.131.52; and Oracle Application Server 10g (9.0.4), version 184.108.40.206."
Oracle announced its decision to do monthly security updates two weeks ago after news of 34 vulnerabilities in multiple versions of its database server -- the majority of them critical -- were widely reported. An Oracle spokesperson had earlier acknowledged the decision was hastened by Litchfield's announcement of the flaws.