Oracle Corp. released 45 security fixes Tuesday as part of its quarterly Critical Patch Update (CPU) to address flaws in its product line.
"The inclusion of BEA in the CPU was particularly rapid because of the similarities that existed between the current CPU process at Oracle and the patching procedures previously in use at BEA."
Eric Maurice, Manager for Security, Oracle Corp.
The CPU includes 14 patches for Oracle's database products. Eleven updates affect customers using Database 11g, Database 10g and Database 9i. Oracle said none of the vulnerabilities addressed can be remotely exploited without authentication. Three updates address flaws in the TimesTen In-Memory Database that could be exploited remotely without authentication, Oracle said.
Since many of the database flaws addressed by Oracle require authentication, the flaws pose less of a threat than previous CPU releases, said Slavik Markovich, chief technology officer at Sentrigo Ltd. Still, that won't stop attackers from trying to gain access to an account and escalating the privilege of a user.
"This CPU is definitely less risky than the previous one, but it is risky enough," Markovich said. "There's a number of ways to brute force accounts and enumerate them."
David Litchfield, chief research officer at UK-based Next Generation Security (NGS) Software, issued an advisory late Tuesday warning that one of the flaws fixed in the release could be exploited by an unauthenticated attacker "to gain full control of a backend Oracle database server via the front end Web server."
The flaw resides in a PL/SQL package installed on the backend database by Oracle Application Server. The package is vulnerable to PL/SQL injection, Litchfield said in a posting on the full-disclosure email list. Litchfield said he reported the flaw in October 2007.
Oracle assigns a score to its flaws using the Common Vulnerability Scoring System (CVSS) version 2.0. The highest CVSS base score of vulnerabilities affecting Oracle Database products is 6.5, which Markovich and others say is high.
"A higher score actually means the database system is owned," he said. "A hacker doesn't need to own the system, they just need the data."
Stephen Kost, chief technology officer of Integrigy Corp., said the vulnerability, with a score of 6.5, should be considered high risk. He said the hole could likely give an attacker the ability to compromise the entire database. "The vulnerabilities of most interest are in the Core RDBMS and Authentication components, but the Database Scheduler vulnerability could be interesting," Kost said in his prerelease analysis of the CPU.
The CPU also contains nine security fixes for Oracle Application Server that could be exploited remotely without authentication. Six updates address flaws in the Oracle E-Business Suite, seven patches to plug holes in Oracle PeopleSoft Enterprise products, and seven security fixes for Oracle WebLogic Server. There are no security fixes affecting JD Edwards products, Oracle said.
Eric Maurice, Oracle software security assurance director, said in the Oracle Security blog that the update marks the first time that BEA, TimesTen and Hyperion products are in the CPU.
"The inclusion of BEA in the CPU was particularly rapid because of the similarities that existed between the current CPU process at Oracle and the patching procedures previously in use at BEA," Maurice said.