Oracle issued its quarterly Critical Patch Update Tuesday, addressing 33 flaws across its product portfolio including critical flaws in Oracle Database and BEA WebLogic server.
The update repairs 10 database vulnerabilities. Three flaws can be remotely exploited without authentication. Database components affected by the errors included network foundation, advanced replication, network authentication, listener, Secure Enterprise Search and configuration management, Oracle said.
The network protocol layer, responsible for establishing and maintaining connections, was given a Common Vulnerability Scoring System (CVSS) score of 9 for Windows. A successful exploit could result in complete control of a database.
Jan - Oracle patches dangerous WebLogic, Secure Backup vulnerabilities: Oracle repaired several dangerous flaws in its BEA WebLogic server line and its Secure Backup software that could be exploited by an attacker to gain access to critical files.
"Since this is a protocol level attack, tools that monitor only SQL activity, native audit solutions, or solutions that have visibility only to internal host based activity, will not have any indication that the server is under attack," Amichai Shulman, chief technology officer and founder of database security vendor Imperva said in a statement.
Two security fixes were issued for Oracle Secure Backup. One of the vulnerabilities was given a CVSS score of 10 for Windows. It is remotely exploitable, does not require authentication and could allow an attacker to take complete control of a system.
The update also included five new security fixes for the Oracle BEA WebLogic server. A critical flaw in Oracle JRockit Java Virtual Machine was given the highest CVSS score of 10. The fix includes an update to the Sun Java Runtime Environment, addressing seven errors.
Oracle repaired two flaws in Oracle Application Server affecting the Oracle Security Developer Tools and the HTTP Server. The vulnerabilities may be remotely exploitable without authentication and may be exploited over a network without the need for a username and password, Oracle said.
Five flaws were address in the Oracle E-business Suite, affecting the Oracle Application Object Library, Application Install, Application Framework, iStore packaged e-commerce application and Applications Manager. Oracle said three of the flaws were remotely exploitable.
Oracle addressed two security flaws in Oracle Enterprise Manager. Both vulnerabilities require authentication and were not remotely exploitable, Oracle said.
Oracle issued three security fixes for the Oracle PeopleSoft and JDEdwards Suite and addressed a single flaw in Oracle Siebel Suite.