Oracle fixes 41 flaws in April CPU

By Bill Brenner, Senior News Writer 16 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As expected, Oracle fixed 41 flaws across its product line with the April 2008 Critical Patch Update (CPU) released Tuesday. Hours after the release, Symantec Corp. warned that attackers could exploit several of the glitches to compromise the confidentiality and integrity of targeted systems.

It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer. Slavik Markovich, chief technology officer, Sentrigo

Eric Maurice, manager for security in Oracle's Global Technology Business Unit, said in the Oracle Security blog that the vulnerabilities affect such products as Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.

Specifically, the CPU includes 17 fixes for Oracle Database products and three for Oracle Application Server. Oracle said attackers could remotely exploit several of the flaws, including all three application server issues, without the need for a username and password.

Eleven fixes address flaws in Oracle E-Business Suite, seven of which are remotely exploitable; one fix is for Oracle Enterprise Manager; three are for the PeopleSoft-JDEdwards Suite; and six affect Oracle Siebel Enterprise Suite.

By comparison, Oracle's January 2008 CPU contained 26 fixes.

Amichai Shulman, chief technology officer of security vendor Imperva, said in an email that like prior Oracle CPUs there is evidence Oracle is addressing vulnerabilities in a very localized manner each time rather than going through a thorough security analysis. He also criticized the database giant for skimping on details in the CPU bulletin.

"It would have been helpful if Oracle provided more details regarding the nature of the fixed vulnerabilities so customers could better assess the actual threats to their systems given the protection mechanisms that they already have in place," he said.

Slavik Markovich, chief technology officer of security vendor Sentrigo, said the CPU reveals an endless source of ammunition for SQL injection and buffer overflow attacks.

"It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer," he said. "Also present are external tools such as export and data pump. What's really interesting is that two of the vulnerabilities can be remotely exploited without authentication which basically means that your database is a sitting duck unless you deploy this patch."

Tags: Database Security Management,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary