As expected, Oracle fixed 41 flaws across its product line with the April 2008 Critical Patch Update (CPU) released Tuesday. Hours after the release, Symantec Corp. warned that attackers could exploit several of the glitches to compromise the confidentiality and integrity of targeted systems.
Eric Maurice, manager for security in Oracle's Global Technology Business Unit, said in the Oracle Security blog that the vulnerabilities affect such products as Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications.
Specifically, the CPU includes 17 fixes for Oracle Database products and three for Oracle Application Server. Oracle said attackers could remotely exploit several of the flaws, including all three application server issues, without the need for a username and password.
Eleven fixes address flaws in Oracle E-Business Suite, seven of which are remotely exploitable; one fix is for Oracle Enterprise Manager; three are for the PeopleSoft-JDEdwards Suite; and six affect Oracle Siebel Enterprise Suite.
By comparison, Oracle's January 2008 CPU contained 26 fixes.
Amichai Shulman, chief technology officer of security vendor Imperva, said in an email that like prior Oracle CPUs there is evidence Oracle is addressing vulnerabilities in a very localized manner each time rather than going through a thorough security analysis. He also criticized the database giant for skimping on details in the CPU bulletin.
"It would have been helpful if Oracle provided more details regarding the nature of the fixed vulnerabilities so customers could better assess the actual threats to their systems given the protection mechanisms that they already have in place," he said.
Slavik Markovich, chief technology officer of security vendor Sentrigo, said the CPU reveals an endless source of ammunition for SQL injection and buffer overflow attacks.
"It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer," he said. "Also present are external tools such as export and data pump. What's really interesting is that two of the vulnerabilities can be remotely exploited without authentication which basically means that your database is a sitting duck unless you deploy this patch."