Oracle patches 36 flaws

Share this article:

Oracle released its quarterly critical patch update (CPU) Tuesday, correcting 36 flaws on company products, including its database, application server and other business applications.

Most notable among them is a fix for the PL/SQL Gateway, which acts as proxy between the web server and the database back-end server. If the existing vulnerability is exploited, a malicious hacker could take over as database administrator and gain access to the database.

British security researcher David Litchfield reported this flaw to Oracle last October and than chastised the company at this year's Black Hat Federal security conference for not fixing in its first CPU of the year. Oracle shot back, accusing Litchfield of putting its customers at risk.

Tuesday's CPU also fixed 14 database flaws, five in the Collaboration Suite and 15 in the E-Business Suite. The update included the release of an enhanced default password scanner to prevent unauthorized hacker access as well.

"Customers should apply this CPU as quickly as possible within their change-management cycle," said Ron Ben-Natan, Guardium chief technology officer, a Waltham, Mass., database security and compliance firm. "Many of the vulnerabilities are easy to exploit and do not require advanced knowledge or skills."

This update contained considerably less patching than the previous two critical updates. In January, the Redwood Shores, Calif., company issued fixes for 82 flaws and in October remedied another 80.

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information.

A Gartner analyst slammed Oracle in January, saying the size of the latest CPUs proves "Oracle can no longer be considered a bastion of security."

In November 2004, Oracle began issuing updates four times a year. At the time, company Chief Security Officer Mary Ann Davidson said quarterly releases would not leave users exposed for long but also would not overwhelm them with the need for constant fixes.

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.