Oracle patches for high-severity flaws

Share this article:

Oracle has issued security patches for a number of its products, including several fixes that were rated as "high" severity on the Common Vulnerability Scoring System (CVSS), with a base score of more than 7 [out of 10], according to the company's advisory.

The products affected include the Oracle Database, Application Server, E-Business Suite, PeopleSoft and JD Edwards Suite, as well as its BEA Products Suite.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible,” the Oracle advisory warned. “This (quarterly update) contains 43 new security fixes across all products.”

An update for the Oracle Database product includes 16 new security vulnerability fixes, two of which may be remotely exploited without authentication – that is, exploited over a network without the need for a username and password. (The patches do not apply to Oracle Database client-only installations.)

“Of the database vulnerabilities, most of them were SQL injection vulnerabilities,” Amichai Shulman, CTO of security firm Imperva, told on Wednesday. “A couple were related to the underlying network protocols.”

The patches also include 12 new security fixes for the Oracle Application Server. Oracle said that three of these vulnerabilities may be remotely exploitable without authentication. Oracle Application Server products that are bundled with the Oracle Database product were affected by the vulnerabilities that were fixed by the updates. The bundled products include BI Publisher, OPMN, Outside In Technology and Oracle Portal.

In the updates for the BEA products, eight new security fixes sewed up remote exploitation holes. The fixes included patches for products such as the Oracle Data Service Integrator and AquaLogic Data Services Platform, Oracle JRockit, Oracle WebLogic Portal and Oracle WebLogic Server.

“This is not the first time that Oracle pushed out fixes for this kind of problem -- in fact, in the very same modules,” Schulman said. “It's not that surprising, because WebLogic is an internet-facing product, it's not unusual to find remotely exploitable vulnerabilities that can be compromised without credentials in these kinds of products, rather than database products.”


Share this article:

Next Article in News

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.