“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU [critical patch update] fixes as soon as possible,” an Oracle advisory warned.
An update for the popular Oracle Database Server product includes seven security vulnerability fixes – none of which are remotely exploitable without authentication, in other words able to be exploited over a network without the need for a username and password, Oracle said. Two of those flaws were publicly by well-known database hacker David Litchfield earlier this year at the Black Hat conference in Washington, D.C.
Also, Tuesday's update provides five security fixes for Oracle Fusion Middleware products. The update includes one fix for Oracle Collaboration Suite, eight for Oracle Application Suite, four affecting PeopleSoft and JD Edwards Suite, and six for Oracle Industry Applications, according to an advisory issued Tuesday by US-CERT.
The update also includes 16 new security fixes for the Sun product line, which Oracle acquired in April 2009. This is the first Oracle security update to include fixes for the Sun Solaris operating system.
“With the recent close of the Sun acquisition, both security organizations have worked diligently to align Sun's previous security practices with Oracle's,” Eric Maurice, software security assurance director at Oracle, wrote in a blog post Tuesday.
Alex Rothacker, manager of database protection vendor Application Security's SHATTER research team, told SCMagazineUS.com in an email Wednesday that two of the vulnerabilities, in particular, pose a high risk.
One affects Oracle Database Server and allows for the complete takeover of not only the database, but also the entire server, including the operating system, he said. Another high-risk vulnerability affecting the Oracle Fusion Middleware product can be exploited remotely without authentication and allows for a complete takeover of the database.