Oracle Corp. issued 43 fixes Tuesday as part of its quarterly Critical Patch Update, repairing flaws in its database management system, application server and application product lines.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The Oracle CPU contained patches addressing 16 database flaws affecting Oracle Database 11g, 10g and 9i. A flaw in the Oracle Resource Manager, which allocates CPU resources, has the highest Common Vulnerability Scoring System (CVSS) score (9). It could allow an attacker to gain complete control of a database. The vulnerability affects Oracle Database Server 220.127.116.11 and 18.104.22.168DV, Oracle said.
Amichai Shulman, chief technology officer of database and application security vendor Imperva Inc., said the flaw is likely a SQL injection vulnerability within a database row or statement trigger.
"In my experience, it's rather unusual to have this highly rated vulnerability within the database itself," Shulman said.
January 2009 CPU - Oracle patches dangerous WebLogic, Secure Backup vulnerabilities: Oracle repaired several dangerous flaws in its BEA WebLogic server line and its Secure Backup software that could be exploited by an attacker to gain access to critical files.
October 2008 CPU - Oracle patches dangerous WebLogic flaw, critical database holes: A severe WebLogic flaw is among 36 security fixes released by Oracle Corp. across its database, middleware and enterprise software products.
What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products? When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in this IAM expert response.
Eric Maurice, manager of security in Oracle's Global Technology Business Unit, told customers that organizations should implement mitigation measures until a patch is deployed.
"Such measures may include additional monitoring of these systems and ensuring that appropriate network access control measures are implemented around them," Maurice wrote on the Oracle Product Security blog.
The vulnerability with the second highest CVSS score (7.1) is less severe since it requires full database privledges, including the ability to import databases, Maurice said.
Oracle patched 12 flaws in Oracle Application Server 10g. The vulnerability with the highest CVSS base score (7.5) affects the OPMN service, which monitors and controls application server components and instances. It can be exploited by an attacker to gain partial control of the application server and access sensitive information.
Oracle continues to release highly critical patches for its BEA product line. Two of the eight security fixes released have a CVSS base score of 10. One of the serious flaws is within Oracle JRockit, a Java development and runtime platform used to troubleshoot Java applications. The other flaw is within the BEA WebLogic server itself. Both flaws could be exploited remotely by an attacker, require no authentication and could give them complete access to the server to steal sensitive information.
"I think by their nature these kinds of products are more susceptible to vulnerabilities that are exploitable without authentication," Imperva's Shulman said.
Three flaws were patched within Oracle's E-Business suite, the company's flagship enterprise resource management software. The flaws are contained in the Oracle application object library, the applications framework and the technology stack, Oracle said. The highest CVSS base score was 6.8. Four new security fixes were released for the Oracle PeopleSoft and JDEdwards software suite.
In January, Oracle issued 41 security fixes, repairing several serious flaws in its BEA WebLogic server line and its Secure Backup management software.