Oracle's July 2007 CPU has 45 security fixes

Article

Oracle's July 2007 CPU has 45 security fixes

Bill Brenner, Senior News Writer

Oracle Corp.'s July 2007 Critical Patch Update (CPU) contains 45 security fixes for flaws across the company's product line attackers could exploit to tamper with corporate databases without the need

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

for a username and password.

Oracle security:
Podcast: The state of Oracle security: In this edition of Security Wire Weekly, Oracle DBA Jon Emmons gives his observations about Oracle's new critical patch update format.

Podcast: Security360 - SOA, Web Services Security: ZapThink analyst Jason Bloomberg offers an overview of the security issues unique to SOA environments, while executives from SAP and Oracle discuss how they address SOA security.

April - Oracle patches 36 holes: Oracle issued patches for 36 holes in the database management system, application server, E-Business Suite and JD Edwards and PeopleSoft software.

Jan. - Oracle releases 51 security fixes: The flaws are across Oracle's product line and attackers could exploit them remotely to compromise vulnerable systems.

Oracle emulates Microsoft with advance patch notice: Oracle will patch 52 security flaws across its product line Tuesday, according to its inaugural CPU advance notification bulletin.

The Redwood Shores, Calif.-based database giant released the CPU Tuesday afternoon with one fix fewer than it predicted in last week's advance bulletin. "Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," the vendor said in its CPU bulletin.

The CPU fixes:

  • Nineteen flaws in Oracle Database products, two of which attackers could exploit remotely over a network without the need for a username and password.
  • Four flaws in Oracle Application Server, three of which attackers could exploit remotely without authentication.
  • A flaw in Oracle Collaboration Suite that may be remotely exploitable without authentication.
  • Fourteen flaws in Oracle E-Business Suite (EBS), six of which attackers could exploit over a network without the need for a username and password.
  • Three flaws in Oracle PeopleSoft Enterprise PeopleTools, two in PeopleSoft Enterprise Customer Relationship Management and two in PeopleSoft Enterprise Human Capital Management. One of the flaws in Oracle PeopleSoft Enterprise PeopleTools may be remotely exploitable without a username and password.

The Application Defense Center of Foster City, Calif.-based Imperva Inc. discovered one of the Oracle E-Business Suite flaws. According to Imperva's Oracle E-Business Suite advisory, attackers could exploit an XSS vulnerability in the product to steal sensitive data and launch phishing attacks. Successful attackers could steal information from users of the business suite whether they are employees of the organization that deploys the business suite or partners that access it in a self-service mode, said Amichai Shulman, chief technology officer of Imperva and director of its Application Defense Center.

"The flaw is in the Web interface and doesn't require authentication," he said. "It's a cross-site scripting vulnerability that allows attackers to execute malicious code on a victim's browser by sending specially crafted links to the targeted application. The attacker could use this to gain unauthorized access to an E-Business suite."

Shulman said the flaw is especially critical for those who expose their E-Business suite to the Internet through partners, vendors and customers.