Oracle patches 36 holes

By Robert Westervelt, News Editor 18 Apr 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers could potentially exploit the most severe flaws to compromise the database server or the host operating system, the Redwood Shores, Calif.-based, database giant said.

The Oracle Critical Patch Update contained patches for 13 holes in its Oracle Database. Fixes were also made available for its Enterprise Manager in the 9i database, Workflow Cartidge and Ultra Search component. The software vendor said two of the holes could be remotely exploitable without the need for a user name and password.

Two database vulnerabilities addressed by the CPU affect Oracle Database client-only installations. Oracle said they could be exploited by an attacker where a privileged operating system process is passing input from an unprivileged source to the affected program.

Oracle security: Oracle to patch 37 flaws: Oracle said it would patch 37 flaws in its preview of the CPU. Jan. 17: Oracle releases 51 security fixes The flaws are across Oracle's product line and attackers could exploit them remotely to compromise vulnerable systems. Podcast: The state of Oracle security: In this edition of Security Wire Weekly, Oracle DBA Jon Emmons gives his observations about Oracle's new critical patch update format. Report: Microsoft beats Oracle on security: In a new whitepaper, security guru David Litchfield of Next Generation Security explains why Microsoft has a tighter grasp on its database defenses than Oracle.

A patch was also issued to plug hole in Oracle's Secure Enterprise Search component.

Addressing Oracle's database vulnerabilities, David Litchfield, managing director at UK-based NGS (Next Generation Security) Software said Oracle's CPU addresses issues related to flaws first reported in 2002 and 2004.

"This may indicate that Oracle is now in a position where they can 'clear the backlog' indicating that most of the more important flaws have been found and patched," Litchfield said in a report he issued analyzing the latest batch of patches. "If this is correct then we should see smaller patches being released in future CPUs."

Litchfield said up to 39 other issues, some high risk, are still awaiting a patch. Five security fixes were released for Oracle Application Server. The software vendor also repaired a Workflow Cartridge flaw and an Oracle Secure Enterprise Search flaw that affected Oracle Application Server. Oracle said its

Application Server 10g Release 2 (10.1.3.0.0) is not affected by Application Server specific vulnerabilities, but includes Oracle Database code that needs to be patched by applying the Oracle Application Server patch.

The CPU also contained a fix for the Oracle Collaboration Suite and 11 patches for the Oracle E-Business Suite. Two of the vulnerabilities affecting the business software could be remotely executed over a network without a user name or password.

Tags: Database Security Management,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary