Oracle unloads critical patch pile

The company offered few details on what the flaws are, but they are critical and affect a long list of products.

Oracle Corp. released a mammoth security update Tuesday, fixing critical flaws malicious users could exploit to launch damaging code, bypass access restrictions, cause a denial of service or conduct cross-site scripting and SQL injection attacks.

For more information

Read our exclusive: Oracle issues patches, but misses the mark, again.

Read our exclusive: OPatch, wherefore art thou?

The Redwood Shores, Calif.-based vendor offered few details on what the vulnerabilities are and where they reside, though it did describe yesterday's rollout as a critical "collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches."

Oracle said the vulnerabilities affect the following products:

  • Oracle Application Server 10g
  • Oracle Collaboration Suite Release 1
  • Oracle Collaboration Suite Release 2
  • Oracle Database 8.x
  • Oracle Database Server 10g
  • Oracle Developer Suite 10g
  • Oracle E-Business Suite 11i
  • Oracle Enterprise Manager 10.x
  • Oracle Enterprise Manager 9.x
  • Oracle9i Application Server
  • Oracle9i Database Enterprise Edition
  • Oracle9i Database Standard Edition
  • PeopleSoft Enterprise Customer Relationship Management (CRM) 8.x
  • PeopleSoft EnterpriseOne Applications 8.x
  • JD Edwards EnterpriseOne 8.x
  • JD Edwards OneWorld 8.x

Danish vulnerability watchdog Secunia said in an advisory that as many as 85 vulnerabilities may affect various Oracle products. Secunia said the glitches include, among other things:

  • A buffer overflow flaw and 17 PL/SQL injection vulnerabilities in Oracle Database 10g and Oracle9i Database Server.
  • A problem in which "some input passed to 'test.jsp' of the Oracle Reports Server isn't properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site."

The French Security Incident Response Team (FrSIRT) also issued an advisory on the patches, saying the flaws could be used "by remote or local attackers" to launch the various exploits.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close