Oracle has confirmed that it released 38 fixes yesterday as part of its quarterly Critical Patch Update, with three
of those fixes being classified with the highest vulnerability rating of 10 for the company's core database.
The affected products, numbering 21 in total, include Oracle Database 9i Release 2, 10g, 10g Release 2, 11g, Oracle Application Server 10g, and Oracle WebLogic Server. Six of the security patches deal with vulnerabilities that permit access to the Oracle Database without requiring a user name or password, according to the company. Also susceptible to outside attacks not requiring authentication are Oracle's BEA products including JRockit and WebLogic.
In his blog, Eric Maurice, manager of security in Oracle's global technology business unit, wrote: "Because of the severity of the database vulnerabilities, Oracle recommends that this Critical Patch Update (CPU) be applied against the affected systems as soon as possible."
Until the application of the Oracle Critical Patch Update, common network access control products, including reverse proxies and firewalls, which are typically deployed around sensitive systems, can serve to "greatly reduce" the risks posed by these vulnerabilities, Maurice wrote. He said such network security tools can prevent hackers from remotely exploiting these vulnerabilities.
This is the first time that three fixes for Oracle's core database received the highest vulnerability rating. The ratings are determined by the Common Vulnerability Scoring System (CVSS), which was established by the National Institute of Standards and Technology, Carnegie Mellon University and other security groups. A 10 rating denotes vulnerabilities in the "high" severity range, with ratings between 7 and 10 considered high, while medium severity is between 4 and 6.9.
Oracle's next scheduled quarterly CPU is Jan. 12, 2010, with another three scheduled in 2010, on April 13, July 13 and October 12.