Oracle Released 51 Patches

Oracle released a long list of 51 security patches on October 16, 2007. These included 27 fixes for the very sensitive Oracle Database that many enterprises run. Oracle releases its patches on a quarterly basis on a Tuesday that is closest to 15th of the months January, April, July and August.

Company officials at Oracle warned that users should apply the fixes as early as possible to safeguard their systems against attacks.

The vulnerabilities found in Oracle affect several of its products. Some of them, which the update addresses, even affect multiple products.

A total of 19 patches from the update including two that addresses issues capable of remote exploitation are to fix Oracle Database and products related to that.

Another 14 repair problems in E-Business Suite and applications related to it. Six of the flaws, which now have patches, are capable of remote exploitation that does not require a username and password. Other patches are to fix Application Server, Application Express, JDeveloper, JD Edwards EnterpriseOne, PeopleSoft Enterprise, and Collaboration Suite.

Oracle will now rate the seriousness of flaws by using the second version of the Common Vulnerability Scoring System (CVSS). Previously, version 1 of the CVSS was being used. The highest rate Oracle assigned to its vulnerabilities is 6.5 on 10, said Amichai Shulman, CTO and Director of the Application Defense Center for Calif-based Imperva during eWeek interview. Amichai Shulman was referring to the Oracle Database flaw DB01, which allows an attacker to easily takeover a database server, indicated Oracle's risk matrix.

According to the matrix, DB01 has Integrity, Confidentiality and Availability, all rated as 'Partial+'. This term was formulated since CVSS defines only the other two - 'Partial' and 'Complete'.

DB19 and DB20 are vulnerabilities capable of triggering Denial-of-Service (DoS) attack on a database server running Oracle software. Even if these exploitations do not need authentication, still their severity rate is 5 out of 10, Amichai Shulman added.

Shulman thinks the method of scoring from 1 to 10 is misleading, as it tends to pull down the scores. He, therefore, strongly advises administrators to understand each exploit in detail before using the patch, and not just consider the score.

Related article: Oracle Charged SAP For Copying Its Programs

» SPAMfighter News - 11/2/2007