Oracle has issued security patches for a number of its products, including several fixes that were rated as “high” severity on the Common Vulnerability Scoring System (CVSS), with a base score of more than 7 [out of 10], according to the company’s advisory.
The products affected include the Oracle Database, Application Server, E-Business Suite, PeopleSoft and JD Edwards Suite, as well as its BEA Products Suite.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible,” the Oracle advisory warned. “This (quarterly update) contains 43 new security fixes across all products.”
An update for the Oracle Database product includes 16 new security vulnerability fixes, two of which may be remotely exploited without authentication – that is, exploited over a network without the need for a username and password. (The patches do not apply to Oracle Database client-only installations.)
“Of the database vulnerabilities, most of them were SQL injection vulnerabilities,” Amichai Shulman, CTO of security firm Imperva, told SCMagazineUS.com on Wednesday. “A couple were related to the underlying network protocols.”
The patches also include 12 new security fixes for the Oracle Application Server. Oracle said that three of these vulnerabilities may be remotely exploitable without authentication. Oracle Application Server products that are bundled with the Oracle Database product were affected by the vulnerabilities that were fixed by the updates. The bundled products include BI Publisher, OPMN, Outside In Technology and Oracle Portal.
In the updates for the BEA products, eight new security fixes sewed up remote exploitation holes. The fixes included patches for products such as the Oracle Data Service Integrator and AquaLogic Data Services Platform, Oracle JRockit, Oracle WebLogic Portal and Oracle WebLogic Server.
“This is not the first time that Oracle pushed out fixes for this kind of problem — in fact, in the very same modules,” Schulman said. “It’s not that surprising, because WebLogic is an internet-facing product, it’s not unusual to find remotely exploitable vulnerabilities that can be compromised without credentials in these kinds of products, rather than database products.”