Oracle issues security patches in seven product lines

Share this article:

Oracle issued security updates Tuesday for 30 security vulnerabilities in seven of its product lines, as part of its regular quarterly patch cycle.

The patches fix vulnerabilities in the Oracle Database Server, Oracle Application Server, Oracle E-Business Suite and Applications, Oracle Enterprise Manager and Oracle Siebel Enterprise, according to the company. The patches also covered vulnerabilities in Oracle PeopleSoft and JDEdwards Suite and the Oracle BEA Products Suite, according to the Oracle update advisory.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible,” the advisory said.

The worst problems fixed had mainly to do with the ability to exploit a flaw without valid credentials. The highest severity rating (10.0) went to Jrockit, part of the Oracle BEA Products Suite, and Secure Backup HTTP, a component of the Oracle Database. Both of these components had vulnerabilities that could be remotely exploitable without authentication – that is, may be exploited over a network without the need for a username and password

"They [the patches] indicate a vulnerability in the network protocol layer," Amichai Shulman, chief technology officer at database security firm Imperva, told Wednesday in an email. "It's possible that the attack could go undetected. Since this is a protocol level attack, tools that monitor only SQL activity, native audit solutions, or solutions that have visibility only to internal host based activity, will not have any indication that the server is under attack."

Oracle offered some possible workarounds for organizations that cannot immediately apply the patches.

“It may be possible to reduce the risk of successful attack by restricting network protocols required by an attack,” the advisory said. “For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack.”

Unfortunately, both of these approaches may break application functionality, according to Oracle's advisory. It recommended that users test changes on nonproduction systems, and said neither approach should be considered a long-term solution.

The Oracle patches hit the same day as Microsoft fixed zero-day vulnerabilities in its DirectShow and Video ActiveX components. The next set of Oracle patches is due in October.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.