Oracle patches dangerous WebLogic flaw, critical database holes

By Robert Westervelt, News Editor 15 Oct 2008 | SearchSecurity.com

Oracle news and trends Digg This!     StumbleUpon     Del.icio.us

Oracle Corp. plugged a severe flaw in the Apache plug-in for its WebLogic Server and addressed vulnerabilities in more than two dozen other products as part of its quarterly Critical Patch Update. Oracle said its security update contained patches for 36 flaws.

While their CVSS scores are not as high, I do think that they are actually more threatening than their scores suggest. Amichai Shulman, chief technology officer, Imperva

Oracle released six fixes to address vulnerabilities for the former BEA product line. Five of the vulnerabilities could be remotely exploited by an attacker. Eric Maurice, manager of security in Oracle's Global Technology Business Unit, warned customers that the most severe vulnerability was located in the Apache plug-in for Oracle WebLogic Server. The flaw could be exploited remotely by an attacker and was given a Common Vulnerability Scoring System (CVSS) base score of 10. The attacker doesn't have to be authenticated and could gain complete control of the server.

The CPU includes 15 new security vulnerability fixes for the Oracle Database. The highest CVSS score was 6.5.One of the more critical vulnerabilities is located in Oracle's core relational database management system and may be remotely exploited without authentication. The vulnerability exploits the network protocol between the Oracle client software and the Oracle server. It abuses the proxy account mechanism in the Oracle server. The flaw affects Oracle database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.2.

Compared to previous CPU's, the October release addressed fewer vulnerabilities, said Amichai Shulman, chief technology officer of Foster City, Calif.-based Imperva. In July, Oracle released 45 database and application fixes. Many of the database fixes released this month repair SQL injection vulnerabilities, he said.

SearchSecurity radio:

"While their CVSS scores are not as high, I do think that they are actually more threatening than their scores suggest," Shulman said.

Oracle also plugged holes in its Publish and iPublish packages, which implement some of the services required to control and audit changes to specific columns in the database. The flaws affect Oracle database 10.1.0.5, 10.2.0.4, 11.1.0.6.

"These packages have been patched over and over again at least three times in the past two years," Shulman said.

In addition, six new security updates were released for Oracle Application Server. Two updates to Oracle Portal could be remotely exploited without authentication, Oracle said. In addition, four security updates were released to address issues in parts of the Oracle E-Business Suite. Problems in the Oracle Applications Technology Stack and the iSupplier Portal could be remotely exploited without authentication. Both vulnerabilities were given a medium-risk CVSS score of 5.0.

Five security vulnerability fixes were released by Oracle for its PeopleSoft Enterprise and JD Edwards EnterpriseOne products. Oracle said two of the vulnerabilities could be remotely exploited without authentication.

Tags: Security Patch Management,  Database Security Management,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Web Server Threats and Countermeasures Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security How to harden Linux operating systems How to clear out anonymous Web proxy servers in the workplace Information security book excerpts and reviews Is it more secure to have a mainframe or a collection of servers? How does a Web server model differ from an application server model?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary