Patch/Configuration Management, Vulnerability Management

Suprise business suite fix from Oracle

Oracle released an out-of-cycle patch for its business suite on Thursday, nearly two months before its next scheduled quarterly patch release.

The fix was intended for Oracle Diagnostics, a troubleshooting feature of Oracle E-Business Suite 11i, "that allows system administrators and other users to execute technical and functional tests on the configuration and setup of the application," according to analysis by the Integrigy Corporation.

Integrigy said last week that a number of security holes exist within the program.

"There exist a number of high-risk security vulnerabilities in the Oracle Diagnostics web pages and Java classes. The most significant issue with the Oracle Diagnostics is that some of the diagnostics can be executed without any authentication, and it is possible to configure the diagnostics to be unrestricted," Integrigy said. "Also, several permission issues and SQL injection vulnerabilities are fixed by the patch."

The security update will also be included in Oracle's next scheduled security bulletin release on April 18.

Before the patch's release, diagnostics tests cold be accessed without approval from the program, Integrigy said.

"The most significant security change in this patch is the implementation of function security, which limits access to the diagnostics tests," the firm said. "Prior to this patch, some of the diagnostics tests cold be accessed without even logging into Oracle Applications."

Oracle security expert Pete Finnigan said on his weblog that Oracle "does not normally publicize the security fixes."

"It is unusual for Oracle to publicize the fact that security fixes are included with an upgrade and to encourage customers to apply the patch," he said. "Cynical observers may think that Oracle (is) encouraging customers to upgrade to make support easier by encouraging application of the patch.

Swa Frantzen of the SANS Institute's Internet Storm Center said Tuesday that the organization could not quickly obtain information on the patch because of the Oracle site's security.

"Unfortunately, the details of Oracle are hidden behind a login system so the security officer's analysis takes much longer than strictly needed," said Frantzen.

T. Brian Granier, of the SANS Institute, said the institute had heard reports of an out-of-cycle patch on Saturday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.