Oracle blocks 51 security holes
Patch bandwagon heralds busy week for DBAs
Oracle released a quarterly patch update on Tuesday containing 51 fixes, one less than originally expected.
The January 2007 update  contains security bug fixes that address vulnerabilities in a wide range of Oracle enterprise software products including flaws in Oracle Database, Application Server, Enterprise Manager, Identity Management, E-Business Suite, Developer Suite, and the PeopleSoft software packages.
More than half the patches (26 of the 51) involve Oracle's flagship database software products. Nine of these might be exploited without the benefit of knowing a user name or password, potentially making them far easier to exploit. Of these, eight involve Oracle HTTP Server. The promised, but delayed, security fix also affects Oracle's database software.
The Oracle patch batch also includes 12 new security fixes for Oracle Application Server, eight of which may be remotely exploitable without authentication, as well as seven new security fixes for the Oracle E-Business Suite. Three patches for Oracle PeopleSoft Enterprise PeopleTools, one of which may be remotely exploitable without logging on, and six patches for Oracle Enterprise Manager (five remotely exploitable) complete the unfestive 51.
Secunia reports  that the impact of some of the vulnerabilities is unclear while others might be harnessed to gain access to sensitive information, run denial of service attacks, or conduct cross-site scripting and SQL injection attacks.
Oracle has been criticised in the past over the time it takes to develop security patches, and been asked to be more transparent about its security practices. In October, during its last release cycle, Oracle began rating the severity of bugs in its applications according to the Common Vulnerability Scoring System (CVSS), an industry-wide initiative designed to standardise vulnerability rating. Oracle rates this quarter patch batch at 7.0 in a scale from zero to 10, where 10 indicates impending internet meltdown (or some such calamity).
Amichai Shulman, CTO of Israeli database and application security firm Imperva, reckons that some of the vulnerabilities are more severe than Oracle suggests. In particular, he highlighted flaws in Oracle's HTTP server that might be exploited remotely without authentication. "The SSL implementation flaw is the worst of the lot," he added.
A number of the flaws might lend themselves to SQL injections attacks. Exploits would not be difficult for a skilled hacker to craft, Shulman added. Meanwhile, applying the patches would normally involve downtime so it might be some time before enterprises are ready to roll-out fixes.
Long lead times are involved in developing database packages, and this is as true for IBM as it is for Oracle. For this reason releasing Oracle updates on a monthly instead of quarterly basis is unrealistic, according to Shulman.
He added that although Oracle is making some progress in improving its patching process it ought to to be more flexible about the possibility of releasing unscheduled fixes closer to the time when the most severe security flaws are discovered. ®