For the first installment in its quarterly patching cycle, Oracle Corp. yesterday released a patch set to fix 23 flaws -- a number of them high-risk -- in its database products. The company also received kudos for an informative risk matrix that is a new addition to its advisories.
"The advisory is a comprehensive document and contains much better information than previous advisories from Oracle," independent security researcher Pete Finnigan wrote in his blog, PeteFinnegan.com. "The key addition in this advisory is the new risk matrix that details each bug to some degree and also the risk." Each flaw is numbered, the component identified and the privileges necessary for the bug to be exploited are listed. Also, earliest and latest versions are listed as well as whether a workaround is possible.
"I hope that in particular the risk matrix will really help customers make decisions about applying the patches quickly and confidently," Finnigan added.
Security vulnerability aggregator Secunia reported a total of 23 flaws in Oracle's products that will allow remote manipulation of data, exposure of sensitive information, privilege escalation and denial of service. See sidebar.
Finnigan was named as the discoverer of a traversal directory flaw: "A problem with being able to use directory objects incorrectly within the database."
Directory objects used in the Oracle database contain the location of a specific operating system directory, according to Finnigan's advisory. Directory objects can be accessed in various ways. Any existing directory object that can be accessed presents a potential risk. Read privileges on a directory object are required to exploit this issue.
A number of the flaws were announced by Next Generation Security Software [NGSS]. The Surrey, U.K.-based company said all versions of the Oracle Database 10g and Oracle 9i Database Server are vulnerable to the flaws it discovered, which include a buffer overflow vulnerability and PL/SQL injection vulnerabilities that allow low-privileged users to gain DBA privileges. The latter flaws can be exploited via the Web through the Oracle Application Server, NGSS said.
Details on the flaws are sketchy at this point. NGSS said it will withhold information on the flaws until April 18, allowing Oracle database users three months to test and apply patches.
Other flaws were reported to Oracle by Alex Kornbrust of Red Database Security and Stephen Kost.
"This Critical Patch Update is a cumulative update containing fixes for multiple security vulnerabilities," according to Oracle's advisory. "In addition, it also contains non-security fixes that are required [because of interdependencies] by those security fixes."
Affected products include Oracle Database 10g Release 1, Oracle9i Database Server Release 1 and Release 2, Oracle8i Database Server Release 3, Oracle8 Database Release 8.0.6, Oracle Application Server 10g, Oracle Application Server 10g Release 2, Oracle9i Application Server Release 1 and Release 2, Oracle Collaboration Suite Release 2, and Oracle E-Business Suite and Applications Release 11i and Release 11.0. For specific versions, please see the Oracle advisory.
Oracle has released a patch set to address these vulnerabilities. NGSS said Oracle database administrators are urged to download, test and install the patch set as soon as possible.