Oracle releases critical, out-of-cycle patch

Article

Oracle releases critical, out-of-cycle patch

Bill Brenner, Senior News Writer

Oracle Corp. has issued a critical, out-of-cycle patch for its E-Business Suite applications, two months ahead of its next scheduled security update.

Customers can access the Redwood Shores, Calif.-based database giant's MetaLink site for more details

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

on the patch. Meanwhile, Oracle experts are analyzing the security update in their blogs and on their Web sites.

Chicago-based security firm Integrigy Corp. said in a report (pdf) that the patch covers "a number of high-risk security vulnerabilities in the Oracle Diagnostics Web pages and Java classes." The most significant issue is that some of the diagnostics can be executed without any authentication, and "it is possible to configure the diagnostics to be unrestricted. Also, several permission issues and SQL injection vulnerabilities are fixed by the patch."

More on Oracle security

Researcher: Oracle failed to patch critical flaw

Oracle patches 82 critical flaws

Security Blog Log: Oracle makes Microsoft look good
The Oracle Diagnostics feature in E-Business Suite 11i allows IT administrators to run technical and functional tests on the configuration and setup of the application, Integrigy said. The tests cover a range of functionality from the application server setup to functional tests in modules such as General Ledger and Human Resources, the company added.

As to why Oracle released the fix now, Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, described the update as a "stealth security patch" in his blog, yet Oracle oddly hasn't kept the information as guarded as it has with past out-of-cycle updates.

"They normally only release security patches as part of the Critical Patch Update (CPU) process on a quarterly basis," he said. "It is common, however, to include security fixes in upgrades that are then included in the next CPU. [But] it is unusual for Oracle to publicize the fact that security fixes are included with an upgrade and to encourage customers to apply the patch," as it did in this case.

Oracle issued its last CPU in January, when it fixed 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files or launch SQL injection attacks.

The next scheduled patch release is April 18.