Oracle plugs critical database, application holes

By Robert Westervelt, News Editor 16 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Oracle Corp. plugged holes in its products as part of its quarterly Critical Patch Update, releasing patches for more than a dozen critical vulnerabilities that could be exploited remotely to gain access to sensitive data.

In all, the Redwood City, Calif.-based database and application software giant released 51 security fixes across hundreds of its products.

The CPU contains 27 fixes for the Oracle Database 10g and 9i, five of which may be exploited remotely without the need for a username and password. The fixes address flaws in the core relational database management system, SQL execution, Oracle Database Vault, and advanced queuing.

The release contains some serious database flaws, according to Amichai Shulman, CTO of Foster City, Calif.-based Imperva Inc. Some of the most critical vulnerabilities require no special privileges in the database to exploit, Shulman said.

"This means that you don't have any workarounds for those vulnerabilities," he said. "Some of them allow a complete takeover of the database without requiring any authentication through the network."

Eleven security fixes plug holes in Oracle Application Server 10g release 2 and 3, seven of which may be remotely exploitable without the need for a username and password. The fixes repair flaws in Oracle HTTP Server, Oracle Portal, Oracle Single Sign-On and Oracle Containers for J2EE.

Oracle E-Business Suite 11i applications contain eight flaws. One of the vulnerabilities can be remotely exploited by an attacker without authentication. Areas affected include Oracle Marketing, Oracle Quoting, Oracle Public Sector Human Resources, Oracle Exchange and Oracle Applications Manager.

Two flaws were patched in Oracle Enterprise Manager and three security fixes were released for Oracle PeopleSoft Enterprise products. The PeopleSoft Human Capital Management software and PeopleTools are affected. No updates were released for JD Edwards software.

The next Critical Patch Update is set for Jan. 15.

"Today's transition to CVSS 2.0, and the early adoption of CVSS by Oracle a year ago, is an evidence of the dedication of Oracle to adopting customer-centric practices for vulnerability remediation and disclosure," Maurice said.

Still, well-known Oracle bug hunter Pete Finnigan noted in his blog that remotely exploitable bugs without authentication get lower scores than those that require a valid connection to the database.

"Presumably because more people have access to authenticated sessions or opportunity to create those sessions than non-authenticated ones," he said.

Imperva's Schulman advised administrators to read the technical details about the vulnerability instead of relying on the score to determine their seriousness.

Tags: Database Security Management,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary