Article

Oracle delivers database fixes in Critical Patch Update

Ed Scannell, Senior Executive Editor
Oracle has confirmed that it released 38 fixes yesterday as part of its quarterly Critical Patch Update, with three of those fixes being classified with the highest vulnerability rating of 10 for the company's core database.

The affected products, numbering 21 in total, include Oracle Database 9i Release 2, 10g, 10g Release 2, 11g, Oracle Application Server 10g, and Oracle WebLogic Server. Six of the security patches deal with vulnerabilities that permit access to the Oracle Database without requiring a user name or password, according to the company. Also susceptible to outside attacks not requiring authentication are Oracle's BEA products including JRockit and WebLogic.

In his

    Requires Free Membership to View

blog, Eric Maurice, manager of security in Oracle's global technology business unit, wrote: "Because of the severity of the database vulnerabilities, Oracle recommends that this Critical Patch Update (CPU) be applied against the affected systems as soon as possible."

Want to know more about Critical Patch Updates?
Learn more about Oracle's Critical Patch Updates
If any one of the three vulnerabilities in the database were successfully exploited it could result in a full compromise of a system right down to the Windows desktop operating system, according to Maurice. On other platforms, however, the flaws have lower ratings because an attack would not lead to a compromise at the operating system layer, he wrote.

Until the application of the Oracle Critical Patch Update, common network access control products, including reverse proxies and firewalls, which are typically deployed around sensitive systems, can serve to "greatly reduce" the risks posed by these vulnerabilities, Maurice wrote. He said such network security tools can prevent hackers from remotely exploiting these vulnerabilities.

This is the first time that three fixes for Oracle's core database received the highest vulnerability rating. The ratings are determined by the Common Vulnerability Scoring System (CVSS), which was established by the National Institute of Standards and Technology, Carnegie Mellon University and other security groups. A 10 rating denotes vulnerabilities in the "high" severity range, with ratings between 7 and 10 considered high, while medium severity is between 4 and 6.9.

Oracle's next scheduled quarterly CPU is Jan. 12, 2010, with another three scheduled in 2010, on April 13, July 13 and October 12.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: