Oracle issues 43 updates, fixes serious database flaws

By Robert Westervelt, News Editor 14 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Oracle Corp. issued 43 fixes Tuesday as part of its quarterly Critical Patch Update, repairing flaws in its database management system, application server and application product lines.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Oracle CPU contained patches addressing 16 database flaws affecting Oracle Database 11g, 10g and 9i. A flaw in the Oracle Resource Manager, which allocates CPU resources, has the highest Common Vulnerability Scoring System (CVSS) score (9). It could allow an attacker to gain complete control of a database. The vulnerability affects Oracle Database Server 9.2.0.8 and 9.2.0.8DV, Oracle said.

Amichai Shulman, chief technology officer of database and application security vendor Imperva Inc., said the flaw is likely a SQL injection vulnerability within a database row or statement trigger.

"In my experience, it's rather unusual to have this highly rated vulnerability within the database itself," Shulman said.

Oracle CPU: January 2009 CPU - Oracle patches dangerous WebLogic, Secure Backup vulnerabilities: Oracle repaired several dangerous flaws in its BEA WebLogic server line and its Secure Backup software that could be exploited by an attacker to gain access to critical files. October 2008 CPU - Oracle patches dangerous WebLogic flaw, critical database holes: A severe WebLogic flaw is among 36 security fixes released by Oracle Corp. across its database, middleware and enterprise software products. What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products? When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in this IAM expert response.

Eric Maurice, manager of security in Oracle's Global Technology Business Unit, told customers that organizations should implement mitigation measures until a patch is deployed.

"Such measures may include additional monitoring of these systems and ensuring that appropriate network access control measures are implemented around them," Maurice wrote on the Oracle Product Security blog.

The vulnerability with the second highest CVSS score (7.1) is less severe since it requires full database privledges, including the ability to import databases, Maurice said.

Oracle patched 12 flaws in Oracle Application Server 10g. The vulnerability with the highest CVSS base score (7.5) affects the OPMN service, which monitors and controls application server components and instances. It can be exploited by an attacker to gain partial control of the application server and access sensitive information.

Oracle continues to release highly critical patches for its BEA product line. Two of the eight security fixes released have a CVSS base score of 10. One of the serious flaws is within Oracle JRockit, a Java development and runtime platform used to troubleshoot Java applications. The other flaw is within the BEA WebLogic server itself. Both flaws could be exploited remotely by an attacker, require no authentication and could give them complete access to the server to steal sensitive information.

SearchSecurity radio:

"I think by their nature these kinds of products are more susceptible to vulnerabilities that are exploitable without authentication," Imperva's Shulman said.

Three flaws were patched within Oracle's E-Business suite, the company's flagship enterprise resource management software. The flaws are contained in the Oracle application object library, the applications framework and the technology stack, Oracle said. The highest CVSS base score was 6.8. Four new security fixes were released for the Oracle PeopleSoft and JDEdwards software suite.

In January, Oracle issued 41 security fixes, repairing several serious flaws in its BEA WebLogic server line and its Secure Backup management software.

Tags: Database Security Management,  Security Patch Management,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Basic Database Security: Step by Step Database activity monitoring lacks security lift Information security book excerpts and reviews IBM to acquire database security firm Guardium What is the best database patch management process? Is credit card tokenization a better option than encryption? Will a database anonymization implementation succeed? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database Security Management Research Security Patch Management Microsoft gives Internet Explorer a major security overhaul Information security book excerpts and reviews What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary