Oracle closes 41 vulnerabilities, 17 in its database

Share this article:

Oracle on Tuesday patched 41 vulnerabilities, including 17 impacting its flagship Oracle database product, in its April Critical Patch Update (CPU) round of security fixes.

This amounts to a "medium sized" patch cycle for Oracle, Amichai Shulman, chief technology officer at database security vendor Imperva, told SCMagazineUS.com.

In addition to the database product, Oracle released 11 fixes for its Business Suite and associated applications, six for the Oracle Siebel Enterprise Suite and three each for its Application Server and PeopleSoft-JDEdwards Suite. It also fixed bugs in its Enterprise Manager, Enterprise Search/Ultrasearch product and Collaboration Suite.

Fourteen of the vulnerabilities can be exploited remotely without authentication, the company said in its security alert. These include seven affecting the E-Business Suite, three impacting the Siebel Enterprise product, two impacting the Oracle Application Server, one each affecting the Oracle database and the Application Express product.

Exploiting these bugs would allow an attacker to take over the affected system via a network without needing a username or password, the company said.

“This basically means that your database is a sitting duck unless you deploy this patch," Slavik Markovich, CTO of Sentrigo, told SCMagazineUS.com. "The last we saw of those was, I believe, two CPUs ago."

Shulman said one of the database vulnerabilities fixed in this round allows an outside attacker to perform an activity in the database server without the activity being reported by the internal audit trail mechanism.

"That's an example of why enterprises should start using external auditing mechanisms for their database servers," he said. “There will always be vulnerabilities in the software products enterprises are trying to protect and they can't rely just on the internal auditing mechanisms.”

Oracle rated one of the Application Server vulnerabilities a 9.3 (out of 10) on its vulnerability scoring system. This flaw, which is applicable to client-only installations, affects only the client portion of Oracle Application Server, according to Oracle. Most of the remaining vulnerabilities were of low to medium in severity, the company said.

All six of the Siebel Enterprise security fixes are for the product's SimBuilder component. SimBuilder is a standalone component used to prepare and deliver training materials and may not be deployed in all Siebel enterprise installations, Oracle said.

Oracle has on several occasions, including this round, found multiple instances of a single vulnerability within its products and patched them separately instead of fixing them through the package completely, Imperva's Shulman said.

"In a quick search, I found five of those when they fixed only part of the problem, he said, adding that time constraints likely are to blame for this approach.

Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...