Oracle Fixes Highly Exploitable Flaws
While Oracle's latest quarterly critical patch may fix fewer flaws than previous quarterly patches, today's release is notable for the number of flaws that can be exploited without credentials, according to Amichai Shulman, CTO of Imperva and a former member of the security center of the Israeli Defense Forces (IDF).
Two vulnerabilities rated a 10 on the CVSS scale, on which 10 is the highest possible risk, because they allowed an attack on the system without authentication. Being able to exploit a flaw without valid database credentials make these flaws extremely important. Those critical vulnerabilities are in the BEA JRockit application and in Oracle Secure Backup.
BEA JRockit is Oracle's Java technology, and the critical vulnerabilities affect the latest versions of the software, R27.6.3 and earlier (JDK/JRE 6, 5, 1.4.2). A user can exploit them to do damage without having the necessary credentials.
Oracle also issued patches for the following other BEA products: Oracle Complex Event Processing and Oracle WebLogic Server.
Oracle also issued two fixes for flaws in Oracle Secure Backup, one of which is a critical flaw rated a 10 on the CVSS. A user can exploit it to do damage without having the necessary credentials. The other is rated 9 because although it also allows a complete takeover of a PC, it requires valid credentials.
Oracle's most popular software, Oracle Database, received 10 fixes today. Some of the patches applied to the new 11g product. Oracle said that three of those fixes rate and can be exploited without a user name and password and one rates a 9 on the CVSS on Windows (but a 6.5 if Oracle is running on Unix or Linux). This flaw enables the complete takedown of a database on Windows and partial takedown on Unix or Linux.
Shulman said that the flaw was likely related to networking components, such as the Oracle Listener component, rather than to the core of the database itself. In April, Cisco released a proof of concept attack on the Oracle Database Listener designed to work on Windows because it attacked a specific DLL (define) file. The flaw that Cisco demonstrated has been fixed.
Lower rated fixes still pose risks
The two fixes issued to Oracle Application Server were rated a 5 out of 10, but both could be exploited without user credentials. Of eight new fixes to Oracle Applications Suite, five could be exploited without user credentials, but none were rated higher than 6. Two new fixes for Oracle Enterprise Manager Suite were not rated higher than 5.5 and were not exploitable without credentials.
Of three new patches for the PeopleSoft and JDEdwards Suite, one fixed a flaw that could be exploited without user credentials, but none was rated higher than 5.5.
One fix was issued for the Oracle Siebel Suite and although it could be exploited without user credentials, it was rated only 3.
But Shulman said that the low CVSS scores may understate the risk. "Using very simple tools like a text editor and a Telnet program (define), available on every PC, I can bring down a production database server," he said. "Oracle follows the CVSS scoring standard and these flaws score relatively low but in reality that's a pretty big security risk," he said.
Author: Alex Goldman @ www.internetnews.com
3 comments:
guest blogger invitation
Hello,
This is Rose writing from www.huliq.com. I visited your blog and liked your content.
Would you be interested to send us a guest post on any of the issues related to the topics that you cover in your blog. We will publish it in our site www.huliq.com
In return with each guest blog we will give one link in the author's byline back to your blog. We only ask that the guest post ( we prefer it be a news coverage, sources can be Google News, CNN, MSNBC, Yahoo News, BBC and others) be a unique story and not be published in your blog.
HULIQ is indexed by Google News and Google requires that the length of the unique news is at least 5 paragraphs. We desire it to be at least 6 paragraphs if possible. And that all need to be a unique content. Once you send us a new story totally unique we will immediately publish it with you link in it, and within 15 minutes it should be indexed by Google News.
Also, please structure author byline as follows:
author's name:
author's e-mail:
author's blog url:
Please let me know if you may have any questions about www.huliq.com.
If you want to consult the topic with me first that's perfectly fine as well.
Many thanks
ruzik.mail@gmail.com
My friend and I were recently discussing about the prevalence of technology in our day to day lives. Reading this post makes me think back to that discussion we had, and just how inseparable from electronics we have all become.
I don't mean this in a bad way, of course! Ethical concerns aside... I just hope that as the price of memory falls, the possibility of copying our memories onto a digital medium becomes a true reality. It's one of the things I really wish I could experience in my lifetime.
(Posted on Nintendo DS running [url=http://www.leetboss.com/video-games/r4i-r4-sdhc-nintendo-ds]R4i[/url] DS BB)
Thank you for this wonderful blog
Post a Comment