Oracle issues critical patch update for 47 flaws

By on
Oracle issues critical patch update for 47 flaws

Urges them to be applied ASAP.

Oracle has issued a critical patch update to correct 47 vulnerabilities across several of its portfolios, including the newly acquired Sun product line.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU [critical patch update] fixes as soon as possible,” an Oracle advisory warned.

An update for the popular Oracle Database Server product includes seven security vulnerability fixes – none of which are remotely exploitable without authentication, in other words able to be exploited over a network without the need for a username and password, Oracle said. Two of those flaws were publicised by well-known database hacker David Litchfield earlier this year at the Black Hat conference in Washington, D.C.

Also, this week's update provides five security fixes for Oracle Fusion Middleware products. The update includes one fix for Oracle Collaboration Suite, eight for Oracle Application Suite, four affecting PeopleSoft and JD Edwards Suite, and six for Oracle Industry Applications, according to an advisory issued by US-CERT.

The update also includes 16 new security fixes for the Sun product line, which Oracle acquired in April 2009. This is the first Oracle security update to include fixes for the Sun Solaris operating system.

“With the recent close of the Sun acquisition, both security organisations have worked diligently to align Sun's previous security practices with Oracle's,” Eric Maurice, software security assurance director at Oracle, wrote in a blog post.

Alex Rothacker, manager of database protection vendor Application Security's SHATTER research team, told SCMagazineUS.com in an email that two of the vulnerabilities, in particular, pose a high risk.

One affects Oracle Database Server and allows for the complete takeover of not only the database, but also the entire server, including the operating system, he said. Another high-risk vulnerability affecting the Oracle Fusion Middleware product can be exploited remotely without authentication and allows for a complete takeover of the database.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?