Article

Oracle's July 2007 CPU has 45 security fixes

Bill Brenner

Oracle Corp.'s July 2007 Critical Patch Update (CPU) contains 45 security fixes for flaws across the company's product line attackers could exploit to tamper with corporate databases without the need

    Requires Free Membership to View

for a username and password.

Oracle security:
Podcast: The state of Oracle security: In this edition of Security Wire Weekly, Oracle DBA Jon Emmons gives his observations about Oracle's new critical patch update format.

Podcast: Security360 - SOA, Web Services Security: ZapThink analyst Jason Bloomberg offers an overview of the security issues unique to SOA environments, while executives from SAP and Oracle discuss how they address SOA security.

April - Oracle patches 36 holes: Oracle issued patches for 36 holes in the database management system, application server, E-Business Suite and JD Edwards and PeopleSoft software.

Jan. - Oracle releases 51 security fixes: The flaws are across Oracle's product line and attackers could exploit them remotely to compromise vulnerable systems.

Oracle emulates Microsoft with advance patch notice: Oracle will patch 52 security flaws across its product line Tuesday, according to its inaugural CPU advance notification bulletin.

The Redwood Shores, Calif.-based database giant released the CPU Tuesday afternoon with one fix fewer than it predicted in last week's advance bulletin. "Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," the vendor said in its CPU bulletin.

The CPU fixes:

  • Nineteen flaws in Oracle Database products, two of which attackers could exploit remotely over a network without the need for a username and password.
  • Four flaws in Oracle Application Server, three of which attackers could exploit remotely without authentication.
  • A flaw in Oracle Collaboration Suite that may be remotely exploitable without authentication.
  • Fourteen flaws in Oracle E-Business Suite (EBS), six of which attackers could exploit over a network without the need for a username and password.
  • Three flaws in Oracle PeopleSoft Enterprise PeopleTools, two in PeopleSoft Enterprise Customer Relationship Management and two in PeopleSoft Enterprise Human Capital Management. One of the flaws in Oracle PeopleSoft Enterprise PeopleTools may be remotely exploitable without a username and password.

The Application Defense Center of Foster City, Calif.-based Imperva Inc. discovered one of the Oracle E-Business Suite flaws. According to Imperva's Oracle E-Business Suite advisory, attackers could exploit an XSS vulnerability in the product to steal sensitive data and launch phishing attacks. Successful attackers could steal information from users of the business suite whether they are employees of the organization that deploys the business suite or partners that access it in a self-service mode, said Amichai Shulman, chief technology officer of Imperva and director of its Application Defense Center.

"The flaw is in the Web interface and doesn't require authentication," he said. "It's a cross-site scripting vulnerability that allows attackers to execute malicious code on a victim's browser by sending specially crafted links to the targeted application. The attacker could use this to gain unauthorized access to an E-Business suite."

Shulman said the flaw is especially critical for those who expose their E-Business suite to the Internet through partners, vendors and customers.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: