Oracle released fixes for 65 security vulnerabilities today.
All were part of the Redwood Shores, Calif.,-company's quarterly Critical Patch Update (CPU). They affect a range of Oracle products - the majority database and E-Business Suite software - and the company has not suggested workarounds for the alerts but instead advised customers to install the patch.
Most of the concern in this patch cycle is on the increasing prevalence of database security problems, said Amichai Shulman, director of Imperva's Application Defense Center (ADC), a database vulnerability research group. Shulman said that the 23 database-related flaws patched today fall into three categories: protocol violations, SQL injections and flaws associated with stored procedures.
Based on his research, some of the most alarming flaws are protocol violations, which he said are quickly becoming a favorite attack vector for the bad guys.
Oracle patched 36 flaws in April as part of its last patch release.
"These are vulnerabilities in the underlying network protocol between Oracle clients and Oracle servers," he said. "These are the most dangerous type of vulnerability because they do not require database credentials at all and they leave no trace in the database audit trail and there is absolutely no workaround for them."
Included in the protocol violation flaws this cycle are four on the database client side, a rarity as most Oracle security problems are server-related. These fixes will require patch installation on the PC level.
While this may create additional work for administrators, Oracle told customers not overlook these problems, as three of the four are severe. As Shulman mentioned, this is because these flaws require no authentication to exploit.
Shulman said that the market will continue to see these protocol violations now that attackers have recognized them as a vector because they are extremely rampant among all types of database software.
"We are starting to see more and more vulnerabilities of this type," he said. "It isn't just with Oracle."
