Information Security

Activate your FREE membership today  |  Log-in

  • Visit other TechTarget ANZ sites: 
Home  >  Articles  >  45 new patches from Oracle
Posted
Jul 17, 2008
 |  By
Robert Westervelt

45 new patches from Oracle

Tools: Print article Email a friend RSS Feeds

Oracle released 45 security fixes Tuesday US time as part of its quarterly Critical Patch Update (CPU) to address flaws in its product line.

The CPU includes 14 patches for Oracle Database products. Eleven updates affect customers using Database 11g, Database 10g and Database 9i. Oracle said none of the vulnerabilities it addressed in its databases may be remotely exploited without authentication. Three updates address flaws in the Times Ten In-Memory Database could be exploited remotely without authentication, Oracle said.

Since many of the database flaws addressed by Oracle require authentication, the flaws pose less of a threat than previous CPU releases, said Slavik Markovich, chief technology officer of security vendor Sentrigo. Still, that won't stop attackers from trying to gain access to an account and escalating the privilege of a user.

"This CPU is definitely less risky than the previous one but it is risky enough," Markovich said. "There's a number of ways to brute force accounts and enumerate them."

Oracle assigns a score to its flaws using the Common Vulnerability Scoring System (CVSS) version 2. The highest CVSS base score of vulnerabilities affecting Oracle Database products is 6.5, which Markovich and others say is high for database products.

"A higher score actually means the database system is owned," he said. "A hacker doesn't need to own the system they just need the data."

Stephen Kost, chief technology officer of Integrigy said the vulnerability with a score of 6.5 should be considered high risk. He said the hole could likely give an attacker the ability to compromise the entire database. "The vulnerabilities of most interest are in the Core RDBMS and Authentication components, but the Database Scheduler vulnerability could be interesting," Kost said in his pre-release analysis of the CPU.

The CPU also contains nine security fixes for Oracle Application Server that could be exploited remotely without authentication. Six updates address flaws in the Oracle E-Business Suite, seven patches to plug holes in Oracle PeopleSoft Enterprise products and seven security fixes for Oracle WebLogic Server. There are no security fixes affecting JD Edwards products, Oracle said.

Eric Maurice, manager for security in Oracle's Global Technology Business Unit, said in the Oracle Security blog that the update marks the first time that BWE, TimesTen and Hyperion products are in the CPU.

"The inclusion of BEA in the CPU was particularly rapid because of the similarities that existed between the current CPU process at Oracle and the patching procedures previously in use at BEA," Maurice said.

Oracle's April CPU included fixes for 41 flaws.

This story first appeared at searchsecurity.com.
© 2008 TechTarget ANZ. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this web site constitutes acceptance of the TechTarget ANZ Terms and Conditions and Privacy Policy.

TechTarget ANZ sites: SearchCIO.com.au | SearchNetworking.com.au | SearchSecurity.com.au | SearchStorage.com.au | SearchVoIP.com.au

WF Online community sites: ElectricalSolutions | ElectronicsOnline | FoodProcessing | InMotionOnline | LabOnline | ProcessOnline | RadioComms | SafetySolutions | SustainabilityMatters | Voice&Data

Copyright © 2008 Westwick-Farrow Pty Ltd. All rights reserved.
About Us | Contact Us | TechTarget