Oracle patches for high-severity flaws

Share this article:

Oracle has issued security patches for a number of its products, including several fixes that were rated as "high" severity on the Common Vulnerability Scoring System (CVSS), with a base score of more than 7 [out of 10], according to the company's advisory.

The products affected include the Oracle Database, Application Server, E-Business Suite, PeopleSoft and JD Edwards Suite, as well as its BEA Products Suite.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible,” the Oracle advisory warned. “This (quarterly update) contains 43 new security fixes across all products.”

An update for the Oracle Database product includes 16 new security vulnerability fixes, two of which may be remotely exploited without authentication – that is, exploited over a network without the need for a username and password. (The patches do not apply to Oracle Database client-only installations.)

“Of the database vulnerabilities, most of them were SQL injection vulnerabilities,” Amichai Shulman, CTO of security firm Imperva, told on Wednesday. “A couple were related to the underlying network protocols.”

The patches also include 12 new security fixes for the Oracle Application Server. Oracle said that three of these vulnerabilities may be remotely exploitable without authentication. Oracle Application Server products that are bundled with the Oracle Database product were affected by the vulnerabilities that were fixed by the updates. The bundled products include BI Publisher, OPMN, Outside In Technology and Oracle Portal.

In the updates for the BEA products, eight new security fixes sewed up remote exploitation holes. The fixes included patches for products such as the Oracle Data Service Integrator and AquaLogic Data Services Platform, Oracle JRockit, Oracle WebLogic Portal and Oracle WebLogic Server.

“This is not the first time that Oracle pushed out fixes for this kind of problem -- in fact, in the very same modules,” Schulman said. “It's not that surprising, because WebLogic is an internet-facing product, it's not unusual to find remotely exploitable vulnerabilities that can be compromised without credentials in these kinds of products, rather than database products.”


Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.