Oracle patches serious holes with latest CPU

Vulnerabilities in Oracle Application Server can be exploited remotely to hijack a system, according to Oracle's latest Critical Patch Update.

Oracle Corp. on Tuesday released its Critical Patch Update fixing vulnerabilities across its database and application product lines.

The IT security guys may not be quite aware of what's going on in the database side.
Slavik Markovich,
chief technology officerSentrigo

Redwood Shores, Calif.-based Oracle said it's security update contained patches for 27 flaws, including eight flaws in Oracle Database, and six new security fixes for Oracle Application Server.

The more threatening database flaws included several SQL injection vulnerabilities and an XML DB handling error that could be exploited by an attacker without any special privileges, said Amichai Shulman, chief technology officer of Foster City, Calif.-based Imperva Inc. XML DB is a feature that provides native XML storage and retrieval technology within Oracle database.

The focus of this particular CPU should be on client side vulnerabilities, Shulman said. Five of the application server vulnerabilities may be remotely exploitable without authentication.

A problem with Oracle Jinitiator is one of the most critical vulnerabilities, Shulman said. Jinitiator enables end users to run Oracle Developer Server applications directly within Netscape Navigator or Internet Explorer on the Windows95/98/2000 and Windows NT4.0 platforms.

In addition, flaws were repaired in Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager and Oracle PeopleSoft Enterprise products.

Meanwhile a new survey suggests that Oracle database administrators are failing to deploy patches. The survey however is far from scientific and some IT pros believe the results may be skewed.

Oracle Critical Patch Update:
Oracle's July 2007 CPU has 45 security fixes: Oracle stuffed 45 security updates into its July 2007 CPU, fixing flaws across its product line attackers could exploit remotely to compromise corporate databases.

Oracle to patch 37 flaws: Database giant Oracle Corp. offered a preview of its April Critical Patch Update (CPU). Fixes are planned for 37 flaws across its product line.

The survey, conducted by Woburn, Mass.-based database security vendor, Sentrigo and polled 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008.

The vendor asked if the DBAs ever applied an Oracle CPU. The vendor said 206 out of those surveyed said they had never applied any Oracle CPUs. Only 31 said they installed the most recent security update from Oracle.

Slavik Markovich, chief technology officer at Sentrigo, said DBAs are ignoring CPUs for a variety of reasons. It is difficult to test and deploy updates without disrupting systems, he said.

"Oracle is the most complicated database with the most features and this makes its attack surface much larger," he said.

Markovich said the results of the survey are startling. In many cases, system stability and uptime may be trumping security, he said.

"The IT security guys may not be quite aware of what's going on in the database side," he said. "They think everything's being applied, but it's not."

Industry experts say its unclear whether the respondents in the survey are DBAs with Oracle databases in a production environment. For example, DBAs within a software development organization would not need to deploy patches right away. Most firms with multiple production databases are bound by compliance regulations to have a patching cycle, said Imperva's Shulman.

"I'm certain that vast majority of DBAs do not apply patches as they go out, because our surveys show that they are usually six to 12 months between patch cycles," Shulman said.

Dig deeper on Database Security Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close