Oracle Corp. released a mammoth security update Tuesday, fixing critical flaws malicious users could exploit to launch damaging code, bypass access restrictions, cause a denial of service or conduct cross-site scripting and SQL injection attacks.
Oracle said the vulnerabilities affect the following products:
- Oracle Application Server 10g
- Oracle Collaboration Suite Release 1
- Oracle Collaboration Suite Release 2
- Oracle Database 8.x
- Oracle Database Server 10g
- Oracle Developer Suite 10g
- Oracle E-Business Suite 11i
- Oracle Enterprise Manager 10.x
- Oracle Enterprise Manager 9.x
- Oracle9i Application Server
- Oracle9i Database Enterprise Edition
- Oracle9i Database Standard Edition
- PeopleSoft Enterprise Customer Relationship Management (CRM) 8.x
- PeopleSoft EnterpriseOne Applications 8.x
- JD Edwards EnterpriseOne 8.x
- JD Edwards OneWorld 8.x
Danish vulnerability watchdog Secunia said in an advisory that as many as 85 vulnerabilities may affect various Oracle products. Secunia said the glitches include, among other things:
- A buffer overflow flaw and 17 PL/SQL injection vulnerabilities in Oracle Database 10g and Oracle9i Database Server.
- A problem in which "some input passed to 'test.jsp' of the Oracle Reports Server isn't properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site."
The French Security Incident Response Team (FrSIRT) also issued an advisory on the patches, saying the flaws could be used "by remote or local attackers" to launch the various exploits.