Oracle closes 41 vulnerabilities, 17 in its database

Share this article:

Oracle on Tuesday patched 41 vulnerabilities, including 17 impacting its flagship Oracle database product, in its April Critical Patch Update (CPU) round of security fixes.

This amounts to a "medium sized" patch cycle for Oracle, Amichai Shulman, chief technology officer at database security vendor Imperva, told SCMagazineUS.com.

In addition to the database product, Oracle released 11 fixes for its Business Suite and associated applications, six for the Oracle Siebel Enterprise Suite and three each for its Application Server and PeopleSoft-JDEdwards Suite. It also fixed bugs in its Enterprise Manager, Enterprise Search/Ultrasearch product and Collaboration Suite.

Fourteen of the vulnerabilities can be exploited remotely without authentication, the company said in its security alert. These include seven affecting the E-Business Suite, three impacting the Siebel Enterprise product, two impacting the Oracle Application Server, one each affecting the Oracle database and the Application Express product.

Exploiting these bugs would allow an attacker to take over the affected system via a network without needing a username or password, the company said.

“This basically means that your database is a sitting duck unless you deploy this patch," Slavik Markovich, CTO of Sentrigo, told SCMagazineUS.com. "The last we saw of those was, I believe, two CPUs ago."

Shulman said one of the database vulnerabilities fixed in this round allows an outside attacker to perform an activity in the database server without the activity being reported by the internal audit trail mechanism.

"That's an example of why enterprises should start using external auditing mechanisms for their database servers," he said. “There will always be vulnerabilities in the software products enterprises are trying to protect and they can't rely just on the internal auditing mechanisms.”

Oracle rated one of the Application Server vulnerabilities a 9.3 (out of 10) on its vulnerability scoring system. This flaw, which is applicable to client-only installations, affects only the client portion of Oracle Application Server, according to Oracle. Most of the remaining vulnerabilities were of low to medium in severity, the company said.

All six of the Siebel Enterprise security fixes are for the product's SimBuilder component. SimBuilder is a standalone component used to prepare and deliver training materials and may not be deployed in all Siebel enterprise installations, Oracle said.

Oracle has on several occasions, including this round, found multiple instances of a single vulnerability within its products and patched them separately instead of fixing them through the package completely, Imperva's Shulman said.

"In a quick search, I found five of those when they fixed only part of the problem, he said, adding that time constraints likely are to blame for this approach.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.