Oracle to release 41 security fixes

By Robert Westervelt, News Editor 12 Jan 2009 | SearchSecurity.com

Oracle news and trends Digg This!     StumbleUpon     Del.icio.us

Oracle plans to release 41 security fixes on Tuesday as part of its quarterly Critical Patch Update (CPU). The patches repair about a dozen serious flaws across its product line.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In the Oracle prerelease announcement to customers, the vendor said the CPU contains 10 new security vulnerability fixes for the Oracle Database. The flaws can be found in Job Queue, Oracle OLAP, Oracle Spatial and Oracle Streams. They affect Oracle Database 9i, 10g and 11g.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the Redwood Shores, Calif.-based vendor said in its prerelease announcement.

Oracle security: October 2008 CPU: Oracle patches dangerous WebLogic flaw, critical database holes: A severe WebLogic flaw is among 36 security fixes released by Oracle Corp. across its database, middleware and enterprise software products. What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products? When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in this IAM expert response. Is there a published standard or guideline for system hardening? When hardening a system, what specific standards or guidelines should information security pros adhere to? Security management expert Mike Rothman explains.

The CPU contains a security vulnerability fix for the Oracle Times Ten Data Server. A flaw in the real-time, in-memory database could be exploited remotely without authentication, Oracle said. It has the Common Vulnerability Scoring System (CVSS) base score of the vulnerability is 7.5.

Nine new security vulnerability fixes are planned for Oracle Secure Backup, Oracle's tape backup management software. Oracle said all the vulnerabilities may be remotely exploited without authentication. The highest CVSS base score affecting Oracle Secure Backup is 10.0 for Windows versions of the product and 7.5 for all other platforms.

Four security fixes are reserved for the Oracle Application Server. Oracle said two of them could be remotely exploitable without authentication. The highest CVSS score for the vulnerabilities was 5.0.

One fix addresses an issue with the Oracle Collaboration Suite, which provides tools and features for enterprise messaging. Oracle said the Collaborative Workspaces component of Oracle Collaboration Suite is affected by the vulnerability. Collaborative Workspaces is a program interface built on top of the collaboration suite. It allows users to share documents, schedule meetings and complete projects via a forum or email.

The CPU also has four security fixes for the Oracle E-Business Suite. Vulnerabilities can be found in Oracle iProcurement, Oracle Application Object Library and the Oracle Applications Framework and Platform Engineering.

Also, five security fixes address issues within the former BEA product line. The flaws affect Oracle WebLogic Server Plugin for Apache, Sun and IIS Web servers as well as the WebLogic Portal. Oracle said the vulnerabilities could be exploited by an attacker without authentication. The highest CVSS base score of vulnerabilities affecting Oracle WebLogic Server is 10.0 for the WebLogic Server Plugin for Apache, Sun and IIS Web servers.

Oracle released 36 security fixes in October. It patched a dangerous WebLogic flaw and 15 critical database holes.

Tags: Database Security Management,  Enterprise Data Governance,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Enterprise Data Governance Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks How to Secure Cloud Computing Security Patch Management Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Microsoft patches serious Excel zero-day, Windows flaws

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary