Article

Oracle unloads critical patch pile

Bill Brenner

Oracle Corp. released a mammoth security update Tuesday, fixing critical flaws malicious users could exploit to launch damaging code, bypass access restrictions, cause a denial

    Requires Free Membership to View

of service or conduct cross-site scripting and SQL injection attacks.

For more information

Read our exclusive: Oracle issues patches, but misses the mark, again.

Read our exclusive: OPatch, wherefore art thou?

The Redwood Shores, Calif.-based vendor offered few details on what the vulnerabilities are and where they reside, though it did describe yesterday's rollout as a critical "collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches."

Oracle said the vulnerabilities affect the following products:

  • Oracle Application Server 10g
  • Oracle Collaboration Suite Release 1
  • Oracle Collaboration Suite Release 2
  • Oracle Database 8.x
  • Oracle Database Server 10g
  • Oracle Developer Suite 10g
  • Oracle E-Business Suite 11i
  • Oracle Enterprise Manager 10.x
  • Oracle Enterprise Manager 9.x
  • Oracle9i Application Server
  • Oracle9i Database Enterprise Edition
  • Oracle9i Database Standard Edition
  • PeopleSoft Enterprise Customer Relationship Management (CRM) 8.x
  • PeopleSoft EnterpriseOne Applications 8.x
  • JD Edwards EnterpriseOne 8.x
  • JD Edwards OneWorld 8.x

Danish vulnerability watchdog Secunia said in an advisory that as many as 85 vulnerabilities may affect various Oracle products. Secunia said the glitches include, among other things:

  • A buffer overflow flaw and 17 PL/SQL injection vulnerabilities in Oracle Database 10g and Oracle9i Database Server.
  • A problem in which "some input passed to 'test.jsp' of the Oracle Reports Server isn't properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site."

The French Security Incident Response Team (FrSIRT) also issued an advisory on the patches, saying the flaws could be used "by remote or local attackers" to launch the various exploits.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: