Oracle issues quarterly patches, fixes database flaws

By SearchSecurity.com Staff 14 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Oracle issued its quarterly Critical Patch Update Tuesday, addressing 33 flaws across its product portfolio including critical flaws in Oracle Database and BEA WebLogic server.

The update repairs 10 database vulnerabilities. Three flaws can be remotely exploited without authentication. Database components affected by the errors included network foundation, advanced replication, network authentication, listener, Secure Enterprise Search and configuration management, Oracle said.

The network protocol layer, responsible for establishing and maintaining connections, was given a Common Vulnerability Scoring System (CVSS) score of 9 for Windows. A successful exploit could result in complete control of a database.

Oracle CPUs: April - Oracle issues 43 updates, fixes serious database flaws: Oracle's quarterly Critical Patch Update contained patches for 16 database flaws and dozens of others correcting errors in Oracle Application Server and its BEA product line. Jan - Oracle patches dangerous WebLogic, Secure Backup vulnerabilities: Oracle repaired several dangerous flaws in its BEA WebLogic server line and its Secure Backup software that could be exploited by an attacker to gain access to critical files.

"Since this is a protocol level attack, tools that monitor only SQL activity, native audit solutions, or solutions that have visibility only to internal host based activity, will not have any indication that the server is under attack," Amichai Shulman, chief technology officer and founder of database security vendor Imperva said in a statement.

Two security fixes were issued for Oracle Secure Backup. One of the vulnerabilities was given a CVSS score of 10 for Windows. It is remotely exploitable, does not require authentication and could allow an attacker to take complete control of a system.

The update also included five new security fixes for the Oracle BEA WebLogic server. A critical flaw in Oracle JRockit Java Virtual Machine was given the highest CVSS score of 10. The fix includes an update to the Sun Java Runtime Environment, addressing seven errors.

Oracle repaired two flaws in Oracle Application Server affecting the Oracle Security Developer Tools and the HTTP Server. The vulnerabilities may be remotely exploitable without authentication and may be exploited over a network without the need for a username and password, Oracle said.

SearchSecurity radio:

Five flaws were address in the Oracle E-business Suite, affecting the Oracle Application Object Library, Application Install, Application Framework, iStore packaged e-commerce application and Applications Manager. Oracle said three of the flaws were remotely exploitable.

Oracle addressed two security flaws in Oracle Enterprise Manager. Both vulnerabilities require authentication and were not remotely exploitable, Oracle said.

Oracle issued three security fixes for the Oracle PeopleSoft and JDEdwards Suite and addressed a single flaw in Oracle Siebel Suite.

Tags: Database Security Management,  Web Server Threats and Countermeasures,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Database Security Management Research Web Server Threats and Countermeasures Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary