Oracle patches 45 vulnerabilities in its databases

Oracle released patches for 45 flaws, 13 of which allow an attacker to exploit various Oracle products remotely without proper access credentials, in its latest round of quarterly Critical Patch Updates on Tuesday.

Among the products affected are multiple versions of the Oracle Database, Application Express, Secure Enterprise Server Search, Application Server, Collaboration Suite, E-Business Suite and the PeopleSoft customer-relationship management (CRM) software.

Seventeen of the 45 vulnerabilities affect revisions of Oracle’s Database Server (two are among the 13 that can be exploited remotely).

Here's a breakdown of the 45 fixes deployed in the July Critical Patch Update (CPU):

* 18 are for Oracle Database Server, with two that patch flaws that are remotely exploitable without credentials.

* One is for Oracle Application Express.

* Four are for Oracle Application Server, including three that patch flaws that are remotely exploitable.

* One is for Oracle Collaboration Suite, patching a flaw that can be exploited remotely.

* 14 are for on Oracle E-Business Suite, with six that patch flaws that are remotely exploitable.

* Seven are for Oracle PeopleSoft Enterprise, with one for a remotely exploitable flaw.

Secunia, a private security research firm, rated the patches "highly critical." The company noted that Oracle has not released enough details on some of the vulnerabilities to predict their impact but that other flaws "can be exploited to bypass certain security restrictions and conduct SQL injection attacks."For instance, one of the vulnerabilities, in Oracle’s Application Express (APEX), does not correctly "sanitize," or normalize, input passed via the password function before using it in SQL queries. (APEX is a free tool that allows building, deploying and managing secure web applications via a web browser.) This can be exploited to modify SQL queries by injecting arbitrary SQL code into the password field, according to Secunia.

Certain input processed by the DBMS_PRVTAQIS function suffer from a similar vulnerability and can also be exploited by a SQL injection, Secunia said.

While "Oracle is doing a pretty good job" of testing and fixing problems, most major software developers a falling down in creating secure code, said Bill Bartow, vice president of product management for Tizor, a database auditing company.

"Building secure code must be a fundamental of their code-development processes and has to be institutionalized across their environment," he said. "The industry could do a better job of testing their products for vulnerabilities before they ship them. A few [developers] are doing that, but the rest of the industry has a long way to go. Until they do, we’ll continue to see vulnerabilities [in enterprise applications]."

As part of its latest round of patches, Oracle also released what it called its "napply CPU" (pronounced "N Apply"). This feature helps customers who encounter merge conflicts when installing CPU patches, Oracle’s Eric Maurice said in a blog posting.

He said that napply CPU simplifies patch conflict-resolution procedures and speeds the resolution of security vulnerabilities. He called the napply CPU an "enhanced" offering for the Unix and Linux versions of the Oracle database server that groups "molecules" of security fixes in way that eliminates conflicts with other molecules within the server.

Oracle has scheduled its next round of Critical Patch Updates for Oct. 16.

Author: Jim Carr

Read more ...

Oracle to buy ID theft detection company Bharosa

Acquisition will extend Oracle's Identity Management capabilities and beef up its growing identity management operation. While most of Oracle's recent purchases have focused on growing its applications business, the vendor's latest proposed purchase will beef up its growing identity management operation.

Oracle announced Wednesday that it has agreed to buy Bharosa, a provider of software to help detect online identity theft and fraud. The companies didn't reveal the financial details of the acquisition, which is expected to close next month.

"The transaction will extend Oracle's Identity Management capabilities by adding proactive real time risk-analysis, strong authentication and fraud prevention," Hasan Rizvi, vice president, identity management and security products at Oracle, wrote in a letter to customers.

Identity Management is part of Oracle's Fusion middleware.

Bharosa has two main products -- Tracker, antifraud software that works by verifying a variety of factors to confirm identity, and Authenticator, a suite of secure authentication software, which works with Web browsers to protect a range of sensitive information such as passwords from malicious attacks. Once the purchase is completed, Oracle plans to add some of Bharosa's Tracker and Authenticator software to its existing online single sign-on (SSO) and Web-based authorization security products. The intention is to expand the use of Oracle's identity management software outside of an enterprise to safely encompass external users. At the same time, Oracle committed to continue to make Bharosa's software available on a stand-alone basis and to offer integrations with non-Oracle databases and applications as well as its own products.

Bharosa has more than 30 customers for its real-time fraud detection and multifactor online authentication enterprise security software. Consumer Web sites using Bharosa's technologies include Wells Fargo and National City. In total, the company estimates its software protects 27 million users. Other Bharosa customers are AudioTel, a supplier of software to banks, and I-flex solutions, an Indian financial services software vendor and a majority-owned Oracle subsidiary.

Founded in 2003, privately held Bharosa has its headquarters in Santa Clara, Calif. The company's name means "trust" in Hindi.

Oracle was previously busy on the identity management front in 2005 buying up three companies -- Oblix, OctetString, and Thor -- for their technologies, which the vendor then integrated into its security offerings.

Author: China Martens

Read more ...

Google Maps Gets Used For Oracle's Field Service

The word “oracle” has a number of definitions, and they generally relate to knowledge provided by one or more deities - this would, in theory, be some solid intel. But the Oracle company has recently turned to Google in order to get people on the correct path.

I mean that in a literal sense; as acknowledged in a press release, “Oracle today announced the integration of Google Maps for Enterprise mapping service with Oracle Field Service, giving companies new tools to help improve customer service, maximize resource utilization and increase operational efficiencies.”

So technicians will always be on time, company vehicles will save hundreds of gallons of gas, and prices everywhere will plummet! Or not. But there may be slight improvements in all of these areas, and at the very least, the deal has given both Google and Oracle some extra exposure.

“We are pleased to see the innovative ways in which Oracle is using Google Maps for Enterprise to deliver geo-based capabilities that are both powerful and easy-to-use,” said Noah Doyle, the product manager of Google Maps for Enterprise, in the release.Mike Betzer, Oracle’s Vice President of CRM Product strategy, expanded on those sentiments - and mentioned a buzzword or two. “By integrating Google Maps for Enterprise, Oracle Field Service delivers on the promise of an extended Service Oriented Architecture and Web 2.0 collaboration,” he stated. “Oracle CRM users will derive tremendous business value through advanced map views and interactions; at the same time receiving a world-class user experience through the Google Maps User Interface.”

Hey, there - maybe the Google-Oracle development will save time, gas, and money, and also not stress the guy who’s running the whole show.

Hat tip to China Martens of the IDG News Service.

Author: Doug Caverly

Read more ...