Home > Oracle Database / Applications News > Oracle releases critical, out-of-cycle patch
Oracle Database / Applications News:
EMAIL THIS

Oracle releases critical, out-of-cycle patch

By Bill Brenner, Senior News Writer
28 Feb 2006 | SearchSecurity.com

Oracle tips, scripts, and expert advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Oracle Corp. has issued a critical, out-of-cycle patch for its E-Business Suite applications, two months ahead of its next scheduled security update.

Customers can access the Redwood Shores, Calif.-based database giant's MetaLink site for more details on the patch. Meanwhile, Oracle experts are analyzing the security update in their blogs and on their Web sites.

Chicago-based security firm Integrigy Corp. said in a report (pdf) that the patch covers "a number of high-risk security vulnerabilities in the Oracle Diagnostics Web pages and Java classes." The most significant issue is that some of the diagnostics can be executed without any authentication, and "it is possible to configure the diagnostics to be unrestricted. Also, several permission issues and SQL injection vulnerabilities are fixed by the patch."

More on Oracle security

Researcher: Oracle failed to patch critical flaw

Oracle patches 82 critical flaws

Security Blog Log: Oracle makes Microsoft look good
The Oracle Diagnostics feature in E-Business Suite 11i allows IT administrators to run technical and functional tests on the configuration and setup of the application, Integrigy said. The tests cover a range of functionality from the application server setup to functional tests in modules such as General Ledger and Human Resources, the company added.

As to why Oracle released the fix now, Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, described the update as a "stealth security patch" in his blog, yet Oracle oddly hasn't kept the information as guarded as it has with past out-of-cycle updates.

"They normally only release security patches as part of the Critical Patch Update (CPU) process on a quarterly basis," he said. "It is common, however, to include security fixes in upgrades that are then included in the next CPU. [But] it is unusual for Oracle to publicize the fact that security fixes are included with an upgrade and to encourage customers to apply the patch," as it did in this case.

Oracle issued its last CPU in January, when it fixed 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files or launch SQL injection attacks.

The next scheduled patch release is April 18.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Oracle News, Oracle Training, Oracle Management
HomeNewsTopicsTipsAsk the ExpertsMultimediaWhite PapersProductsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts