Home > Security News > Oracle releases critical, out-of-cycle patch
Security News:
EMAIL THIS LICENSING & REPRINTS

Oracle releases critical, out-of-cycle patch

By Bill Brenner, Senior News Writer
28 Feb 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Oracle Corp. has issued a critical, out-of-cycle patch for its E-Business Suite applications, two months ahead of its next scheduled security update.

Customers can access the Redwood Shores, Calif.-based database giant's MetaLink site for more details on the patch. Meanwhile, Oracle experts are analyzing the security update in their blogs and on their Web sites.

Chicago-based security firm Integrigy Corp. said in a report (pdf) that the patch covers "a number of high-risk security vulnerabilities in the Oracle Diagnostics Web pages and Java classes." The most significant issue is that some of the diagnostics can be executed without any authentication, and "it is possible to configure the diagnostics to be unrestricted. Also, several permission issues and SQL injection vulnerabilities are fixed by the patch."

More on Oracle security

Researcher: Oracle failed to patch critical flaw

Oracle patches 82 critical flaws

Security Blog Log: Oracle makes Microsoft look good
The Oracle Diagnostics feature in E-Business Suite 11i allows IT administrators to run technical and functional tests on the configuration and setup of the application, Integrigy said. The tests cover a range of functionality from the application server setup to functional tests in modules such as General Ledger and Human Resources, the company added.

As to why Oracle released the fix now, Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, described the update as a "stealth security patch" in his blog, yet Oracle oddly hasn't kept the information as guarded as it has with past out-of-cycle updates.

"They normally only release security patches as part of the Critical Patch Update (CPU) process on a quarterly basis," he said. "It is common, however, to include security fixes in upgrades that are then included in the next CPU. [But] it is unusual for Oracle to publicize the fact that security fixes are included with an upgrade and to encourage customers to apply the patch," as it did in this case.

Oracle issued its last CPU in January, when it fixed 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files or launch SQL injection attacks.

The next scheduled patch release is April 18.

Sound Off! -   Be the first to post a message to Sound Off!


Tags: Patch ManagementDatabase SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts