Oracle to release 41 security fixes

By Robert Westervelt, News Editor 12 Jan 2009 | SearchSecurity.com

Oracle news and trends Digg This!     StumbleUpon     Del.icio.us

Oracle plans to release 41 security fixes on Tuesday as part of its quarterly Critical Patch Update (CPU). The patches repair about a dozen serious flaws across its product line.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In the Oracle prerelease announcement to customers, the vendor said the CPU contains 10 new security vulnerability fixes for the Oracle Database. The flaws can be found in Job Queue, Oracle OLAP, Oracle Spatial and Oracle Streams. They affect Oracle Database 9i, 10g and 11g.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the Redwood Shores, Calif.-based vendor said in its prerelease announcement.

Oracle security: October 2008 CPU: Oracle patches dangerous WebLogic flaw, critical database holes: A severe WebLogic flaw is among 36 security fixes released by Oracle Corp. across its database, middleware and enterprise software products. What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products? When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in this IAM expert response. Is there a published standard or guideline for system hardening? When hardening a system, what specific standards or guidelines should information security pros adhere to? Security management expert Mike Rothman explains.

The CPU contains a security vulnerability fix for the Oracle Times Ten Data Server. A flaw in the real-time, in-memory database could be exploited remotely without authentication, Oracle said. It has the Common Vulnerability Scoring System (CVSS) base score of the vulnerability is 7.5.

Nine new security vulnerability fixes are planned for Oracle Secure Backup, Oracle's tape backup management software. Oracle said all the vulnerabilities may be remotely exploited without authentication. The highest CVSS base score affecting Oracle Secure Backup is 10.0 for Windows versions of the product and 7.5 for all other platforms.

Four security fixes are reserved for the Oracle Application Server. Oracle said two of them could be remotely exploitable without authentication. The highest CVSS score for the vulnerabilities was 5.0.

One fix addresses an issue with the Oracle Collaboration Suite, which provides tools and features for enterprise messaging. Oracle said the Collaborative Workspaces component of Oracle Collaboration Suite is affected by the vulnerability. Collaborative Workspaces is a program interface built on top of the collaboration suite. It allows users to share documents, schedule meetings and complete projects via a forum or email.

The CPU also has four security fixes for the Oracle E-Business Suite. Vulnerabilities can be found in Oracle iProcurement, Oracle Application Object Library and the Oracle Applications Framework and Platform Engineering.

Also, five security fixes address issues within the former BEA product line. The flaws affect Oracle WebLogic Server Plugin for Apache, Sun and IIS Web servers as well as the WebLogic Portal. Oracle said the vulnerabilities could be exploited by an attacker without authentication. The highest CVSS base score of vulnerabilities affecting Oracle WebLogic Server is 10.0 for the WebLogic Server Plugin for Apache, Sun and IIS Web servers.

Oracle released 36 security fixes in October. It patched a dangerous WebLogic flaw and 15 critical database holes.

Tags: Database Security Management,  Enterprise Data Governance,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary