15.7.09

Oracle Fixes Highly Exploitable Flaws

While Oracle's latest quarterly critical patch may fix fewer flaws than previous quarterly patches, today's release is notable for the number of flaws that can be exploited without credentials, according to Amichai Shulman, CTO of Imperva and a former member of the security center of the Israeli Defense Forces (IDF).

Two vulnerabilities rated a 10 on the CVSS scale, on which 10 is the highest possible risk, because they allowed an attack on the system without authentication. Being able to exploit a flaw without valid database credentials make these flaws extremely important. Those critical vulnerabilities are in the BEA JRockit application and in Oracle Secure Backup.

BEA JRockit is Oracle's Java technology, and the critical vulnerabilities affect the latest versions of the software, R27.6.3 and earlier (JDK/JRE 6, 5, 1.4.2). A user can exploit them to do damage without having the necessary credentials.

Oracle also issued patches for the following other BEA products: Oracle Complex Event Processing and Oracle WebLogic Server.

Oracle also issued two fixes for flaws in Oracle Secure Backup, one of which is a critical flaw rated a 10 on the CVSS. A user can exploit it to do damage without having the necessary credentials. The other is rated 9 because although it also allows a complete takeover of a PC, it requires valid credentials.

Oracle's most popular software, Oracle Database, received 10 fixes today. Some of the patches applied to the new 11g product. Oracle said that three of those fixes rate and can be exploited without a user name and password and one rates a 9 on the CVSS on Windows (but a 6.5 if Oracle is running on Unix or Linux). This flaw enables the complete takedown of a database on Windows and partial takedown on Unix or Linux.

Shulman said that the flaw was likely related to networking components, such as the Oracle Listener component, rather than to the core of the database itself. In April, Cisco released a proof of concept attack on the Oracle Database Listener designed to work on Windows because it attacked a specific DLL (define) file. The flaw that Cisco demonstrated has been fixed.
Lower rated fixes still pose risks

The two fixes issued to Oracle Application Server were rated a 5 out of 10, but both could be exploited without user credentials. Of eight new fixes to Oracle Applications Suite, five could be exploited without user credentials, but none were rated higher than 6. Two new fixes for Oracle Enterprise Manager Suite were not rated higher than 5.5 and were not exploitable without credentials.

Of three new patches for the PeopleSoft and JDEdwards Suite, one fixed a flaw that could be exploited without user credentials, but none was rated higher than 5.5.

One fix was issued for the Oracle Siebel Suite and although it could be exploited without user credentials, it was rated only 3.

But Shulman said that the low CVSS scores may understate the risk. "Using very simple tools like a text editor and a Telnet program (define), available on every PC, I can bring down a production database server," he said. "Oracle follows the CVSS scoring standard and these flaws score relatively low but in reality that's a pretty big security risk," he said.

Author: Alex Goldman @ www.internetnews.com


Read more ...

3.7.09

Oracle to cut 1,000 European jobs

Oracle plans to lay off up to 1,000 workers in Europe, or about one per cent of its global staff, as the recession erodes the giant software compans earnings, it emerged yesterday. The world’s second biggest listed software maker would be one of the last major technology companies to undertake significant layoffs in this economic downturn.

Source: http://www.cityam.com


Read more ...

1.7.09

National Bank of Cambodia to implement Oracle Flexcube

National Bank of Cambodia is to implement Oracle's Flexcube core banking package as it bids to modernise the country's antiquated financial system.

The central bank will use the system to automate operations across deposits, loans, foreign exchange, money markets, securities, funds transfer and asset management.

Thai Saphear, head of the governor's office, National Bank of Cambodia, says: "We see technology as a key enabler in the modernisation of our financial system and are taking steps to deploy a core banking system that provides a platform for effectively and efficiently managing growth."

Supported by the Asian Development Bank, the implemenation project will be led by Oracle in association with local companies interFlex and Neeka.

InterFlex will provide National Bank of Cambodia with environmental software and implementation services for the core banking implementation. Neeka, part of the Thakral Group of Companies, will provide the hardware infrastructure and support services for the project.

Source: http://www.finextra.com


Read more ...