Oracle releases critical, out-of-cycle patch

Two months ahead of its next scheduled patch release, the database giant fixes critical security holes in its E-Business Suite. The flaw is in the software's diagnostic feature.

Oracle Corp. has issued a critical, out-of-cycle patch for its E-Business Suite applications, two months ahead of its next scheduled security update.

Customers can access the Redwood Shores, Calif.-based database giant's MetaLink site for more details on the patch. Meanwhile, Oracle experts are analyzing the security update in their blogs and on their Web sites.

Chicago-based security firm Integrigy Corp. said in a report (pdf) that the patch covers "a number of high-risk security vulnerabilities in the Oracle Diagnostics Web pages and Java classes." The most significant issue is that some of the diagnostics can be executed without any authentication, and "it is possible to configure the diagnostics to be unrestricted. Also, several permission issues and SQL injection vulnerabilities are fixed by the patch."

More on Oracle security

Researcher: Oracle failed to patch critical flaw

Oracle patches 82 critical flaws

Security Blog Log: Oracle makes Microsoft look good

The Oracle Diagnostics feature in E-Business Suite 11i allows IT administrators to run technical and functional tests on the configuration and setup of the application, Integrigy said. The tests cover a range of functionality from the application server setup to functional tests in modules such as General Ledger and Human Resources, the company added.

As to why Oracle released the fix now, Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, described the update as a "stealth security patch" in his blog, yet Oracle oddly hasn't kept the information as guarded as it has with past out-of-cycle updates.

"They normally only release security patches as part of the Critical Patch Update (CPU) process on a quarterly basis," he said. "It is common, however, to include security fixes in upgrades that are then included in the next CPU. [But] it is unusual for Oracle to publicize the fact that security fixes are included with an upgrade and to encourage customers to apply the patch," as it did in this case.

Oracle issued its last CPU in January, when it fixed 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files or launch SQL injection attacks.

The next scheduled patch release is April 18.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close