Oracle issues quarterly patches, fixes database flaws

Article

Oracle issues quarterly patches, fixes database flaws

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Oracle issued its quarterly Critical Patch Update Tuesday, addressing 33 flaws across its product portfolio including critical flaws in Oracle Database and BEA WebLogic server.

The update repairs 10 database vulnerabilities. Three flaws can be remotely exploited without authentication. Database components affected by the errors included network foundation, advanced replication, network authentication, listener, Secure Enterprise Search and configuration management, Oracle said.

The network protocol layer, responsible for establishing and maintaining connections, was given a Common Vulnerability Scoring System (CVSS) score of 9 for Windows. A successful exploit could result in complete control of a database.

Oracle CPUs:
April - Oracle issues 43 updates, fixes serious database flaws: Oracle's quarterly Critical Patch Update contained patches for 16 database flaws and dozens of others correcting errors in Oracle Application Server and its BEA product line.

Jan - Oracle patches dangerous WebLogic, Secure Backup vulnerabilities: Oracle repaired several dangerous flaws in its BEA WebLogic server line and its Secure Backup software that could be exploited by an attacker to gain access to critical files.
"Since this is a protocol level attack, tools that monitor only SQL activity, native audit solutions, or solutions that have visibility only to internal host based activity, will not have any indication that the server is under attack," Amichai Shulman, chief technology officer and founder of database security vendor Imperva said in a statement.

Two security fixes were issued for Oracle Secure Backup. One of the vulnerabilities was given a CVSS score of 10 for Windows. It is remotely exploitable, does not require authentication and could allow an attacker to take complete control of a system.

The update also included five new security fixes for the Oracle BEA WebLogic server. A critical flaw in Oracle JRockit Java Virtual Machine was given the highest CVSS score of 10. The fix includes an update to the Sun Java Runtime Environment, addressing seven errors.

Oracle repaired two flaws in Oracle Application Server affecting the Oracle Security Developer Tools and the HTTP Server. The vulnerabilities may be remotely exploitable without authentication and may be exploited over a network without the need for a username and password, Oracle said.

SearchSecurity radio:

Five flaws were address in the Oracle E-business Suite, affecting the Oracle Application Object Library, Application Install, Application Framework, iStore packaged e-commerce application and Applications Manager. Oracle said three of the flaws were remotely exploitable.

Oracle addressed two security flaws in Oracle Enterprise Manager. Both vulnerabilities require authentication and were not remotely exploitable, Oracle said.

Oracle issued three security fixes for the Oracle PeopleSoft and JDEdwards Suite and addressed a single flaw in Oracle Siebel Suite.