Oracle Corp. has issued a critical, out-of-cycle patch for its E-Business Suite applications, two months ahead...
of its next scheduled security update.
Customers can access the Redwood Shores, Calif.-based database giant's MetaLink site for more details on the patch. Meanwhile, Oracle experts are analyzing the security update in their blogs and on their Web sites.
Chicago-based security firm Integrigy Corp. said in a report (pdf) that the patch covers "a number of high-risk security vulnerabilities in the Oracle Diagnostics Web pages and Java classes." The most significant issue is that some of the diagnostics can be executed without any authentication, and "it is possible to configure the diagnostics to be unrestricted. Also, several permission issues and SQL injection vulnerabilities are fixed by the patch."
As to why Oracle released the fix now, Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, described the update as a "stealth security patch" in his blog, yet Oracle oddly hasn't kept the information as guarded as it has with past out-of-cycle updates.
"They normally only release security patches as part of the Critical Patch Update (CPU) process on a quarterly basis," he said. "It is common, however, to include security fixes in upgrades that are then included in the next CPU. [But] it is unusual for Oracle to publicize the fact that security fixes are included with an upgrade and to encourage customers to apply the patch," as it did in this case.
Oracle issued its last CPU in January, when it fixed 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files or launch SQL injection attacks.
The next scheduled patch release is April 18.