Feeds

Oracle blocks 51 security holes

Patch bandwagon heralds busy week for DBAs

HP ProLiant Gen8: Integrated lifecycle automation

Oracle released a quarterly patch update on Tuesday containing 51 fixes, one less than originally expected.

The January 2007 update contains security bug fixes that address vulnerabilities in a wide range of Oracle enterprise software products including flaws in Oracle Database, Application Server, Enterprise Manager, Identity Management, E-Business Suite, Developer Suite, and the PeopleSoft software packages.

More than half the patches (26 of the 51) involve Oracle's flagship database software products. Nine of these might be exploited without the benefit of knowing a user name or password, potentially making them far easier to exploit. Of these, eight involve Oracle HTTP Server. The promised, but delayed, security fix also affects Oracle's database software.

The Oracle patch batch also includes 12 new security fixes for Oracle Application Server, eight of which may be remotely exploitable without authentication, as well as seven new security fixes for the Oracle E-Business Suite. Three patches for Oracle PeopleSoft Enterprise PeopleTools, one of which may be remotely exploitable without logging on, and six patches for Oracle Enterprise Manager (five remotely exploitable) complete the unfestive 51.

Secunia reports that the impact of some of the vulnerabilities is unclear while others might be harnessed to gain access to sensitive information, run denial of service attacks, or conduct cross-site scripting and SQL injection attacks.

Oracle has been criticised in the past over the time it takes to develop security patches, and been asked to be more transparent about its security practices. In October, during its last release cycle, Oracle began rating the severity of bugs in its applications according to the Common Vulnerability Scoring System (CVSS), an industry-wide initiative designed to standardise vulnerability rating. Oracle rates this quarter patch batch at 7.0 in a scale from zero to 10, where 10 indicates impending internet meltdown (or some such calamity).

Amichai Shulman, CTO of Israeli database and application security firm Imperva, reckons that some of the vulnerabilities are more severe than Oracle suggests. In particular, he highlighted flaws in Oracle's HTTP server that might be exploited remotely without authentication. "The SSL implementation flaw is the worst of the lot," he added.

A number of the flaws might lend themselves to SQL injections attacks. Exploits would not be difficult for a skilled hacker to craft, Shulman added. Meanwhile, applying the patches would normally involve downtime so it might be some time before enterprises are ready to roll-out fixes.

Long lead times are involved in developing database packages, and this is as true for IBM as it is for Oracle. For this reason releasing Oracle updates on a monthly instead of quarterly basis is unrealistic, according to Shulman.

He added that although Oracle is making some progress in improving its patching process it ought to to be more flexible about the possibility of releasing unscheduled fixes closer to the time when the most severe security flaws are discovered. ®

The Essential Guide to IT Transformation

More from The Register

next story
Brit celebs' homes VANISH from Google's Street View
Tony Blair's digs now a Tone-y Blur
German government orders local CIA station chief to pack his bags
Sour Krauts arrest second local in domestic spy ring probe
Doctor Who season eight scripts leak online
BBC asks fans to EXTERMINATE copies before they materialise
Snowden leaks latest: NSA, FBI g-men spied on Muslim-American chiefs
US Navy veteran? Lawmaker? Academic? You're all POTENTIAL TERRORISTS
LibreSSL crypto library leaps from OpenBSD to Linux, OS X, more
First cross-platform version of cleaned-up OpenSSL fork
UK's emergency data slurp: IT giants panicked over 'legal uncertainty'
PM says rushed-through DRIP law will 'plug holes' in existing legislation
Russian MP fears US Secret Service cuffed his son for Snowden swap
Seleznev Jnr is 'prolific trafficker in stolen credit card data', it is alleged
Teensy card skimmers found in gullets of ATMs
Hi-tech fraudsters treading more softly, but gas still yielding bang for buck
Adobe Flash: The most INSECURE program on a UK user's PC
XML a weak spot, but nothing's as dire as Adobe player
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
The Power of One Brief: Top reasons to choose HP BladeSystem
Download this brochure to find five ways HP BladeSystem can optimize your business with the power of one.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.