Oracle fixes 38 flaws, four earn highest severity rating

Oracle on Tuesday delivered patches to correct 38 vulnerabilities across its line of products, including four that received the highest severity rating possible.

On its popular Database Server product, Oracle's quarterly security update corrected 16 flaws, six of which could be remotely exploited without authentication. Three of the database bugs received a rare 10 out of 10 rating under the Common Vulnerability Scoring System (CVSS), used to determine the flaw's severity.

In the case of those three vulnerabilities, a successful exploit could result "in a full compromise of the targeted system, down to the [Windows] operating system," said Eric Maurice, manager of security in Oracle's global technology business unit, on a company blog. On other platforms, however, the flaws garnered less serious ratings because an attack would not lead to a compromise at the operating system layer.

"Due to the severity of the new Database Server vulnerabilities, Oracle recommends that this [update] be applied against the affected systems as soon as possible," Maurice said, adding that tools such as network access control, firewalls and reverse proxies can mitigate some of the risks associated with the bugs.

"As a matter of good security practice, a database server should not be exposed to the internet, and connections to databases should be limited to securely configured application servers and trusted staff," he said.

Tuesday's update also included patches for Application Server, E-Business Suite, PeopleSoft Enterprise, JD Edwards Tools, WebLogic/JRockit and Communications Order and Service Management.

Of the six vulnerabilities patched in WebLogic/JRockit, one received a CVSS score of 10, Maurice said. It impacts the Sun Java Runtime Environment.

Half of the 38 total fixes could be remotely exploited without authentication.

Oracle's next scheduled critical patch update is Jan. 12, 2010.