20.7.07

Oracle patches 45 vulnerabilities in its databases

Oracle released patches for 45 flaws, 13 of which allow an attacker to exploit various Oracle products remotely without proper access credentials, in its latest round of quarterly Critical Patch Updates on Tuesday.

Among the products affected are multiple versions of the Oracle Database, Application Express, Secure Enterprise Server Search, Application Server, Collaboration Suite, E-Business Suite and the PeopleSoft customer-relationship management (CRM) software.

Seventeen of the 45 vulnerabilities affect revisions of Oracle’s Database Server (two are among the 13 that can be exploited remotely).

Here's a breakdown of the 45 fixes deployed in the July Critical Patch Update (CPU):

* 18 are for Oracle Database Server, with two that patch flaws that are remotely exploitable without credentials.

* One is for Oracle Application Express.

* Four are for Oracle Application Server, including three that patch flaws that are remotely exploitable.

* One is for Oracle Collaboration Suite, patching a flaw that can be exploited remotely.

* 14 are for on Oracle E-Business Suite, with six that patch flaws that are remotely exploitable.

* Seven are for Oracle PeopleSoft Enterprise, with one for a remotely exploitable flaw.

Secunia, a private security research firm, rated the patches "highly critical." The company noted that Oracle has not released enough details on some of the vulnerabilities to predict their impact but that other flaws "can be exploited to bypass certain security restrictions and conduct SQL injection attacks."For instance, one of the vulnerabilities, in Oracle’s Application Express (APEX), does not correctly "sanitize," or normalize, input passed via the password function before using it in SQL queries. (APEX is a free tool that allows building, deploying and managing secure web applications via a web browser.) This can be exploited to modify SQL queries by injecting arbitrary SQL code into the password field, according to Secunia.

Certain input processed by the DBMS_PRVTAQIS function suffer from a similar vulnerability and can also be exploited by a SQL injection, Secunia said.

While "Oracle is doing a pretty good job" of testing and fixing problems, most major software developers a falling down in creating secure code, said Bill Bartow, vice president of product management for Tizor, a database auditing company.

"Building secure code must be a fundamental of their code-development processes and has to be institutionalized across their environment," he said. "The industry could do a better job of testing their products for vulnerabilities before they ship them. A few [developers] are doing that, but the rest of the industry has a long way to go. Until they do, we’ll continue to see vulnerabilities [in enterprise applications]."

As part of its latest round of patches, Oracle also released what it called its "napply CPU" (pronounced "N Apply"). This feature helps customers who encounter merge conflicts when installing CPU patches, Oracle’s Eric Maurice said in a blog posting.

He said that napply CPU simplifies patch conflict-resolution procedures and speeds the resolution of security vulnerabilities. He called the napply CPU an "enhanced" offering for the Unix and Linux versions of the Oracle database server that groups "molecules" of security fixes in way that eliminates conflicts with other molecules within the server.

Oracle has scheduled its next round of Critical Patch Updates for Oct. 16.

Author: Jim Carr

No comments: