Oracle fixes 41 flaws in April CPU

By Bill Brenner, Senior News Writer 16 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As expected, Oracle fixed 41 flaws across its product line with the April 2008 Critical Patch Update (CPU) released Tuesday. Hours after the release, Symantec Corp. warned that attackers could exploit several of the glitches to compromise the confidentiality and integrity of targeted systems.

It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer. Slavik Markovich, chief technology officer, Sentrigo

Eric Maurice, manager for security in Oracle's Global Technology Business Unit, said in the Oracle Security blog that the vulnerabilities affect such products as Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.

Specifically, the CPU includes 17 fixes for Oracle Database products and three for Oracle Application Server. Oracle said attackers could remotely exploit several of the flaws, including all three application server issues, without the need for a username and password.

Eleven fixes address flaws in Oracle E-Business Suite, seven of which are remotely exploitable; one fix is for Oracle Enterprise Manager; three are for the PeopleSoft-JDEdwards Suite; and six affect Oracle Siebel Enterprise Suite.

By comparison, Oracle's January 2008 CPU contained 26 fixes.

Amichai Shulman, chief technology officer of security vendor Imperva, said in an email that like prior Oracle CPUs there is evidence Oracle is addressing vulnerabilities in a very localized manner each time rather than going through a thorough security analysis. He also criticized the database giant for skimping on details in the CPU bulletin.

"It would have been helpful if Oracle provided more details regarding the nature of the fixed vulnerabilities so customers could better assess the actual threats to their systems given the protection mechanisms that they already have in place," he said.

Slavik Markovich, chief technology officer of security vendor Sentrigo, said the CPU reveals an endless source of ammunition for SQL injection and buffer overflow attacks.

"It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer," he said. "Also present are external tools such as export and data pump. What's really interesting is that two of the vulnerabilities can be remotely exploited without authentication which basically means that your database is a sitting duck unless you deploy this patch."

Tags: Database Security Management,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Security Patch Management Adobe patches ColdFusion vulnerability blocking website attack Microsoft to address DirectShow, ActiveX zero-day flaws Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary