Oracle closes 41 vulnerabilities, 17 in its database

Share this article:

Oracle on Tuesday patched 41 vulnerabilities, including 17 impacting its flagship Oracle database product, in its April Critical Patch Update (CPU) round of security fixes.

This amounts to a "medium sized" patch cycle for Oracle, Amichai Shulman, chief technology officer at database security vendor Imperva, told SCMagazineUS.com.

In addition to the database product, Oracle released 11 fixes for its Business Suite and associated applications, six for the Oracle Siebel Enterprise Suite and three each for its Application Server and PeopleSoft-JDEdwards Suite. It also fixed bugs in its Enterprise Manager, Enterprise Search/Ultrasearch product and Collaboration Suite.

Fourteen of the vulnerabilities can be exploited remotely without authentication, the company said in its security alert. These include seven affecting the E-Business Suite, three impacting the Siebel Enterprise product, two impacting the Oracle Application Server, one each affecting the Oracle database and the Application Express product.

Exploiting these bugs would allow an attacker to take over the affected system via a network without needing a username or password, the company said.

“This basically means that your database is a sitting duck unless you deploy this patch," Slavik Markovich, CTO of Sentrigo, told SCMagazineUS.com. "The last we saw of those was, I believe, two CPUs ago."

Shulman said one of the database vulnerabilities fixed in this round allows an outside attacker to perform an activity in the database server without the activity being reported by the internal audit trail mechanism.

"That's an example of why enterprises should start using external auditing mechanisms for their database servers," he said. “There will always be vulnerabilities in the software products enterprises are trying to protect and they can't rely just on the internal auditing mechanisms.”

Oracle rated one of the Application Server vulnerabilities a 9.3 (out of 10) on its vulnerability scoring system. This flaw, which is applicable to client-only installations, affects only the client portion of Oracle Application Server, according to Oracle. Most of the remaining vulnerabilities were of low to medium in severity, the company said.

All six of the Siebel Enterprise security fixes are for the product's SimBuilder component. SimBuilder is a standalone component used to prepare and deliver training materials and may not be deployed in all Siebel enterprise installations, Oracle said.

Oracle has on several occasions, including this round, found multiple instances of a single vulnerability within its products and patched them separately instead of fixing them through the package completely, Imperva's Shulman said.

"In a quick search, I found five of those when they fixed only part of the problem, he said, adding that time constraints likely are to blame for this approach.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

As EMV deadline looms, industry looks to next ATM attack front

As EMV deadline looms, industry looks to next ...

Next year, EMV migration in the U.S. will inevitability change fraudsters' attack methods.

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.