Oracle patches for high-severity flaws

Share this article:

Oracle has issued security patches for a number of its products, including several fixes that were rated as "high" severity on the Common Vulnerability Scoring System (CVSS), with a base score of more than 7 [out of 10], according to the company's advisory.

The products affected include the Oracle Database, Application Server, E-Business Suite, PeopleSoft and JD Edwards Suite, as well as its BEA Products Suite.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible,” the Oracle advisory warned. “This (quarterly update) contains 43 new security fixes across all products.”

An update for the Oracle Database product includes 16 new security vulnerability fixes, two of which may be remotely exploited without authentication – that is, exploited over a network without the need for a username and password. (The patches do not apply to Oracle Database client-only installations.)

“Of the database vulnerabilities, most of them were SQL injection vulnerabilities,” Amichai Shulman, CTO of security firm Imperva, told on Wednesday. “A couple were related to the underlying network protocols.”

The patches also include 12 new security fixes for the Oracle Application Server. Oracle said that three of these vulnerabilities may be remotely exploitable without authentication. Oracle Application Server products that are bundled with the Oracle Database product were affected by the vulnerabilities that were fixed by the updates. The bundled products include BI Publisher, OPMN, Outside In Technology and Oracle Portal.

In the updates for the BEA products, eight new security fixes sewed up remote exploitation holes. The fixes included patches for products such as the Oracle Data Service Integrator and AquaLogic Data Services Platform, Oracle JRockit, Oracle WebLogic Portal and Oracle WebLogic Server.

“This is not the first time that Oracle pushed out fixes for this kind of problem -- in fact, in the very same modules,” Schulman said. “It's not that surprising, because WebLogic is an internet-facing product, it's not unusual to find remotely exploitable vulnerabilities that can be compromised without credentials in these kinds of products, rather than database products.”


Share this article:

Next Article in News

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.