Oracle releases patches, but not for many known flaws

By Shawna McAlearney, News Editor 12 Apr 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Even as admins scrambled to patch numerous critical flaws in Oracle products today, some noted that fixes were unavailable for many other serious and well-known flaws -- among them one in Oracle Forms detailed in a paper also released today.

"The Critical Patch Update issued [today]

Multiple high-risk Oracle flaws Twenty-three flaws headline Oracle's first quarterly patch cycle. (Jan. 18)

contains fixes for security vulnerabilities in the Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control and Oracle E-Business Suite," said an Oracle spokesperson. "The patch also includes fixes that customers are likely to apply and/or are prerequisites for the security fixes."

The company noted more than 89 security vulnerabilities -- many of them cumulative -- in its new threat matrix that measures the ease of exploitability and its impact. Oracle said the supported product releases and versions affected include:

• Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle Application Server only);
• Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6;
• Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.4 (9.0.1.5 FIPS) (all of which are supported for Oracle Application Server only);
• Oracle8i Database Server Release 3, version 8.1.7.4;
• Oracle Application Server 10g Release 2 (10.1.2);
• Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1;
• Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1;
• Oracle9i Application Server Release 1, version 1.0.2.2;
• Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2;
• Oracle E-Business Suite and Applications Release 11i, versions 11.5.0 through 11.5.10;
• Oracle E-Business Suite and Applications Release 11.0;
• Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3;
• Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1;
• PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93;
• PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher.

However, one expert noted that many flaws weren't addressed in the patch, including a SQL injection vulnerability in default installations of Oracle Forms found by bug researcher Alex Kornburst. "None of the 40 outstanding security bugs he has reported have been fixed, quite a large portion of which have been reported for more than a year," said Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step - A survival guide for Oracle security. Finnigan also noted that researcher Esteban MartÍnez Fayo is credited with some fixes in this advisory but in a recent paper he stated that Oracle still needs to fix more than 65 buffer overflows that he has reported.

"The number of bugs some researchers say they have reported and that are not fixed for quite considerable lengths of time is worrying," Finnigan added. "I hope that Oracle is becoming proactive in fixing bugs quicker rather than [allowing] researchers to advertise larger and larger lists of unfixed Oracle bugs on their sites. How many know of these unfixed bugs and are exploiting them already?"

Tags: Database Security Management,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary