Oracle's July 2007 CPU has 45 security fixes

By Bill Brenner, Senior News Writer 17 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Oracle Corp.'s July 2007 Critical Patch Update (CPU) contains 45 security fixes for flaws across the company's product line attackers could exploit to tamper with corporate databases without the need for a username and password.

Oracle security: Podcast: The state of Oracle security: In this edition of Security Wire Weekly, Oracle DBA Jon Emmons gives his observations about Oracle's new critical patch update format. Podcast: Security360 - SOA, Web Services Security: ZapThink analyst Jason Bloomberg offers an overview of the security issues unique to SOA environments, while executives from SAP and Oracle discuss how they address SOA security. April - Oracle patches 36 holes: Oracle issued patches for 36 holes in the database management system, application server, E-Business Suite and JD Edwards and PeopleSoft software. Jan. - Oracle releases 51 security fixes: The flaws are across Oracle's product line and attackers could exploit them remotely to compromise vulnerable systems. Oracle emulates Microsoft with advance patch notice: Oracle will patch 52 security flaws across its product line Tuesday, according to its inaugural CPU advance notification bulletin.

The Redwood Shores, Calif.-based database giant released the CPU Tuesday afternoon with one fix fewer than it predicted in last week's advance bulletin. "Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," the vendor said in its CPU bulletin.

The CPU fixes:

• Nineteen flaws in Oracle Database products, two of which attackers could exploit remotely over a network without the need for a username and password.
• Four flaws in Oracle Application Server, three of which attackers could exploit remotely without authentication.
• A flaw in Oracle Collaboration Suite that may be remotely exploitable without authentication.
• Fourteen flaws in Oracle E-Business Suite (EBS), six of which attackers could exploit over a network without the need for a username and password.
• Three flaws in Oracle PeopleSoft Enterprise PeopleTools, two in PeopleSoft Enterprise Customer Relationship Management and two in PeopleSoft Enterprise Human Capital Management. One of the flaws in Oracle PeopleSoft Enterprise PeopleTools may be remotely exploitable without a username and password.

The Application Defense Center of Foster City, Calif.-based Imperva Inc. discovered one of the Oracle E-Business Suite flaws. According to Imperva's Oracle E-Business Suite advisory, attackers could exploit an XSS vulnerability in the product to steal sensitive data and launch phishing attacks. Successful attackers could steal information from users of the business suite whether they are employees of the organization that deploys the business suite or partners that access it in a self-service mode, said Amichai Shulman, chief technology officer of Imperva and director of its Application Defense Center.

"The flaw is in the Web interface and doesn't require authentication," he said. "It's a cross-site scripting vulnerability that allows attackers to execute malicious code on a victim's browser by sending specially crafted links to the targeted application. The attacker could use this to gain unauthorized access to an E-Business suite."

Shulman said the flaw is especially critical for those who expose their E-Business suite to the Internet through partners, vendors and customers.

Tags: Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary