Oracle fixes 41 flaws in April CPU

Bill Brenner

As expected, Oracle fixed 41 flaws across its product line with the April 2008 Critical Patch Update (CPU) released Tuesday. Hours after the release, Symantec Corp. warned that attackers could exploit

    Requires Free Membership to View

several of the glitches to compromise the confidentiality and integrity of targeted systems.

It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer.
Slavik Markovich,
chief technology officerSentrigo

Eric Maurice, manager for security in Oracle's Global Technology Business Unit, said in the Oracle Security blog that the vulnerabilities affect such products as Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.

Specifically, the CPU includes 17 fixes for Oracle Database products and three for Oracle Application Server. Oracle said attackers could remotely exploit several of the flaws, including all three application server issues, without the need for a username and password.

Eleven fixes address flaws in Oracle E-Business Suite, seven of which are remotely exploitable; one fix is for Oracle Enterprise Manager; three are for the PeopleSoft-JDEdwards Suite; and six affect Oracle Siebel Enterprise Suite.

By comparison, Oracle's January 2008 CPU contained 26 fixes.

Amichai Shulman, chief technology officer of security vendor Imperva, said in an email that like prior Oracle CPUs there is evidence Oracle is addressing vulnerabilities in a very localized manner each time rather than going through a thorough security analysis. He also criticized the database giant for skimping on details in the CPU bulletin.

"It would have been helpful if Oracle provided more details regarding the nature of the fixed vulnerabilities so customers could better assess the actual threats to their systems given the protection mechanisms that they already have in place," he said.

Slavik Markovich, chief technology officer of security vendor Sentrigo, said the CPU reveals an endless source of ammunition for SQL injection and buffer overflow attacks.

"It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer," he said. "Also present are external tools such as export and data pump. What's really interesting is that two of the vulnerabilities can be remotely exploited without authentication which basically means that your database is a sitting duck unless you deploy this patch."

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: