Feeds

Oracle blocks 51 security holes

Patch bandwagon heralds busy week for DBAs

Build a business case: developing custom apps

Oracle released a quarterly patch update on Tuesday containing 51 fixes, one less than originally expected.

The January 2007 update contains security bug fixes that address vulnerabilities in a wide range of Oracle enterprise software products including flaws in Oracle Database, Application Server, Enterprise Manager, Identity Management, E-Business Suite, Developer Suite, and the PeopleSoft software packages.

More than half the patches (26 of the 51) involve Oracle's flagship database software products. Nine of these might be exploited without the benefit of knowing a user name or password, potentially making them far easier to exploit. Of these, eight involve Oracle HTTP Server. The promised, but delayed, security fix also affects Oracle's database software.

The Oracle patch batch also includes 12 new security fixes for Oracle Application Server, eight of which may be remotely exploitable without authentication, as well as seven new security fixes for the Oracle E-Business Suite. Three patches for Oracle PeopleSoft Enterprise PeopleTools, one of which may be remotely exploitable without logging on, and six patches for Oracle Enterprise Manager (five remotely exploitable) complete the unfestive 51.

Secunia reports that the impact of some of the vulnerabilities is unclear while others might be harnessed to gain access to sensitive information, run denial of service attacks, or conduct cross-site scripting and SQL injection attacks.

Oracle has been criticised in the past over the time it takes to develop security patches, and been asked to be more transparent about its security practices. In October, during its last release cycle, Oracle began rating the severity of bugs in its applications according to the Common Vulnerability Scoring System (CVSS), an industry-wide initiative designed to standardise vulnerability rating. Oracle rates this quarter patch batch at 7.0 in a scale from zero to 10, where 10 indicates impending internet meltdown (or some such calamity).

Amichai Shulman, CTO of Israeli database and application security firm Imperva, reckons that some of the vulnerabilities are more severe than Oracle suggests. In particular, he highlighted flaws in Oracle's HTTP server that might be exploited remotely without authentication. "The SSL implementation flaw is the worst of the lot," he added.

A number of the flaws might lend themselves to SQL injections attacks. Exploits would not be difficult for a skilled hacker to craft, Shulman added. Meanwhile, applying the patches would normally involve downtime so it might be some time before enterprises are ready to roll-out fixes.

Long lead times are involved in developing database packages, and this is as true for IBM as it is for Oracle. For this reason releasing Oracle updates on a monthly instead of quarterly basis is unrealistic, according to Shulman.

He added that although Oracle is making some progress in improving its patching process it ought to to be more flexible about the possibility of releasing unscheduled fixes closer to the time when the most severe security flaws are discovered. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?