Oracle fixes 41 flaws in April CPU

Attackers could exploit several Oracle flaws to compromise the confidentiality and integrity of targeted systems, Symantec said hours after Oracle's April 2008 CPU was released.

As expected, Oracle fixed 41 flaws across its product line with the April 2008 Critical Patch Update (CPU) released Tuesday. Hours after the release, Symantec Corp. warned that attackers could exploit several of the glitches to compromise the confidentiality and integrity of targeted systems.

It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer.
Slavik Markovich,
chief technology officerSentrigo

Eric Maurice, manager for security in Oracle's Global Technology Business Unit, said in the Oracle Security blog that the vulnerabilities affect such products as Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.

Specifically, the CPU includes 17 fixes for Oracle Database products and three for Oracle Application Server. Oracle said attackers could remotely exploit several of the flaws, including all three application server issues, without the need for a username and password.

Eleven fixes address flaws in Oracle E-Business Suite, seven of which are remotely exploitable; one fix is for Oracle Enterprise Manager; three are for the PeopleSoft-JDEdwards Suite; and six affect Oracle Siebel Enterprise Suite.

By comparison, Oracle's January 2008 CPU contained 26 fixes.

Amichai Shulman, chief technology officer of security vendor Imperva, said in an email that like prior Oracle CPUs there is evidence Oracle is addressing vulnerabilities in a very localized manner each time rather than going through a thorough security analysis. He also criticized the database giant for skimping on details in the CPU bulletin.

"It would have been helpful if Oracle provided more details regarding the nature of the fixed vulnerabilities so customers could better assess the actual threats to their systems given the protection mechanisms that they already have in place," he said.

Slavik Markovich, chief technology officer of security vendor Sentrigo, said the CPU reveals an endless source of ammunition for SQL injection and buffer overflow attacks.

"It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer," he said. "Also present are external tools such as export and data pump. What's really interesting is that two of the vulnerabilities can be remotely exploited without authentication which basically means that your database is a sitting duck unless you deploy this patch."

Dig deeper on Database Security Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close