News Stay informed about the latest enterprise technology news and product updates.

Oracle delivers database fixes in Critical Patch Update

Oracle has shipped 38 database fixes affecting 21 products in its most recent Oracle Critical Patch Update (CPU), including three critical security patches for its core database.

Oracle has confirmed that it released 38 fixes yesterday as part of its quarterly Critical Patch Update, with three of those fixes being classified with the highest vulnerability rating of 10 for the company's core database.

The affected products, numbering 21 in total, include Oracle Database 9i Release 2, 10g, 10g Release 2, 11g, Oracle Application Server 10g, and Oracle WebLogic Server. Six of the security patches deal with vulnerabilities that permit access to the Oracle Database without requiring a user name or password, according to the company. Also susceptible to outside attacks not requiring authentication are Oracle's BEA products including JRockit and WebLogic.

In his blog, Eric Maurice, manager of security in Oracle's global technology business unit, wrote: "Because of the severity of the database vulnerabilities, Oracle recommends that this Critical Patch Update (CPU) be applied against the affected systems as soon as possible."

Want to know more about Critical Patch Updates?
Learn more about Oracle's Critical Patch Updates
If any one of the three vulnerabilities in the database were successfully exploited it could result in a full compromise of a system right down to the Windows desktop operating system, according to Maurice. On other platforms, however, the flaws have lower ratings because an attack would not lead to a compromise at the operating system layer, he wrote.

Until the application of the Oracle Critical Patch Update, common network access control products, including reverse proxies and firewalls, which are typically deployed around sensitive systems, can serve to "greatly reduce" the risks posed by these vulnerabilities, Maurice wrote. He said such network security tools can prevent hackers from remotely exploiting these vulnerabilities.

This is the first time that three fixes for Oracle's core database received the highest vulnerability rating. The ratings are determined by the Common Vulnerability Scoring System (CVSS), which was established by the National Institute of Standards and Technology, Carnegie Mellon University and other security groups. A 10 rating denotes vulnerabilities in the "high" severity range, with ratings between 7 and 10 considered high, while medium severity is between 4 and 6.9.

Oracle's next scheduled quarterly CPU is Jan. 12, 2010, with another three scheduled in 2010, on April 13, July 13 and October 12.

Dig Deeper on Oracle DBA tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.