The company said its quarterly Critical Patch Update contains 41 security fixes across hundreds of Oracle products. Some of the vulnerabilities addressed, some labeled "high risk," affect multiple products, including databases, servers and software.
The patch -- affecting OracleDatabase, Oracle Application Server, Oracle E-Business Suite andApplications, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise,and Oracle Siebel SimBuilder -- includes 17 new security fixes for the Oracle Database, 11 new security fixes for the Oracle E-Business Suite, and three new security fixes for Oracle Application Server.
The vulnerabilities addressed allowed for some Oracle products to be remotely exploited without authentication. That is, they may be exploited over a network without the need for a username and password.
Following this news, Slavik Markovich, CTO of Sentrigo, emailed SCMagazineUS with this update:
"I can see advanced queuing in there. An endless source for SQL injections and buffer overflows. It looks like the number of affected database components is larger this time than previous times, including patches in the core RDBMS engine and query optimizer. Also present are external tools such as export and data pump. What's really interesting is that two of the vulnerabilities can be remotely exploited without authentication, which basically means that your database is a sitting duck unless you deploy this patch. The last we saw of those was, I believe, 2 CPUs ago."