Oracle released 41 security fixes late Tuesday as part of its quarterly Critical Patch Update (CPU), repairing several serious flaws in its BEA WebLogic server line and its Secure Backup management software.
To get security news and tips delivered to your inbox,
Oracle's Critical Patch Update Advisory addressed several dangerous vulnerabilities within the former BEA product line. The flaws affect Oracle WebLogic Server Plugin for Apache, Sun, IIS Web servers and WebLogic Portal. Oracle said the vulnerabilities could be exploited by an attacker without authentication. The highest CVSS base score of vulnerabilities affecting Oracle WebLogic Server is 10.0 for the WebLogic Server Plugin for Apache, Sun and IIS Web servers.
Eric Maurice, manager of security in Oracle's Global Technology Business Unit, told customers that the WebLogic plug-in component has been the subject of several serious vulnerabilities recently. The October 2008 Critical Patch Update contained two serious vulnerabilities. In August, an out-of-cycle update was released addressing a dangerous hole in the Apache Connector component.
"The discovery of these vulnerabilities has resulted in bringing a lot of attention on the WebLogic Server Plugin, and as a result, this component has been going through significant review, including an in-depth review by our ethical hacking team …," Maurice wrote on the Oracle Product Security blog.
Amichai Shulman, chief technology officer of database and application security and reporting and audit vendor at Imperva Inc., said the BEA WebLogic Server is at a greater threat to attack since it is perimeter facing.
"[Oracle] will continue to have their hands full with this product because I think that this is a matter of a culture of releasing vulnerabilities in Web servers before a vendor can respond," Shulman said. "I think during a certain period of time some people at WebLogic were not as responsive to security issues and some researchers grew frustrated."
The other serious flaws plugged by Oracle were in its Secure Backup tape backup management software. Oracle said all the vulnerabilities may be remotely exploited without authentication.
Security vendor Fortinet released an advisory outlining the flaws. Fortinet said its research team discovered five flaws that could be exploited by an attacker to execute code remotely. The Secure Backup contains a buffer overflow vulnerability that could be exploited by sending a malformed NDMP client authentication packet, Fortinet said. The other flaws could be exploited to cause the software to crash, the research team said.
The highest CVSS base score affecting Oracle Secure Backup is 10.0 for Windows versions of the product and 7.5 for all other platforms. Oracle said its Secure Backup security vulnerabilities are fixed in version 10.2.0.3.
The CPU also contained 10 new security vulnerability fixes for the Oracle Database. The flaws can be found in Job Queue, Oracle OLAP, Oracle Spatial and Oracle Streams. They affect Oracle Database 9i, 10g and 11g. The highest CVSS score affecting the Oracle Database is 5.5.
Slavik Markovich, chief technology officer at database security vendor Sentrigo Ltd., said the current group of database security updates pose less of a threat than previous quarterly releases. Some of the tools affected are not highly used. Still, some databases will be at a greater risk, he said.
What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products? When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in this IAM expert response.
Is there a published standard or guideline for system hardening? When hardening a system, what specific standards or guidelines should information security pros adhere to? Security management expert Mike Rothman explains.
"The privilege required for some of the vulnerabilities is very low, so if you can create a session inside the database you can own the database," Markovich said. "The advice here is to install only what you need and if you're not using a [feature] definitely remove it."
Vulnerabilities in the Oracle Spatial package have been known, said Imperva's Shulman. Other flaws have low access complexity, which means they can be easily exploited, Shulman said.
"Mostly what we see here is the usual type of SQL injection and stored procedure vulnerabilities," Shulman said. "In my point of view [the CVSS score of] 5.5 doesn't really signify the real risk in these kinds of vulnerabilities."
Paul Henry, security and forensic analyst at endpoint security vendor Lumension Security Inc., said the Oracle CPU was in line with previous quarterly updates. Oracle had a high of 82 fixes in 2006, but usually averages about 40 security fixes per CPU, Henry said.
The CPU also contained a number of other updates, including a fix that repaired several errors in the Oracle Times Ten Data Server. A flaw in the real-time, in-memory database could be exploited remotely without authentication, Oracle said. It has a Common Vulnerability Scoring System (CVSS) base score of 7.5.
Four security fixes are reserved for the Oracle Application Server. Oracle said two of them could be remotely exploitable without authentication. The highest CVSS score for the vulnerabilities is 5.0.
One fix addresses an issue with the Oracle Collaboration Suite, which provides tools and features for enterprise messaging. Oracle said the Collaborative Workspaces component of Oracle Collaboration Suite is affected by the vulnerability. Collaborative Workspaces is a program interface built on top of the collaboration suite. It allows users to share documents, schedule meetings and complete projects via a forum or email.
The CPU also has four security fixes for the Oracle E-Business Suite. Vulnerabilities can be found in Oracle iProcurement, Oracle Application Object Library and the Oracle Applications Framework and Platform Engineering.
Six security updates repair flaws in the PeopleSoft and JDEdwards suite. The highest rated CVSS score is a 6.5 for a flaw affecting the PeopleSoft Enterprise Components. A flaw was also repaired in the JDEdwards Tools. The Oracle flaws are not remotely exploitable without authentication.