Oracle vulnerabilities highlighted by security firms

Two exploits for vulnerabilities in Oracle applications have been spotted by security experts.

Oracle released a critical patch update earlier this week to fix 36 security vulnerabilities in a range of products, including its Database, Application Server, Enterprise Manager and Collaboration Suite software.

But security firm Symantec has warned that two exploits are already in the public domain. Kevin Hogan, a senior manager at Symantec’s security response group, said the team was still reviewing the 36 vulnerabilities. “A number are critical,” he confirmed.

“There have been two exploits mentioned publicly – one on the Bugtrack mailing list and the other posted by Red Database Security group. Those exploits are related to two different vulnerabilities.”

He said the Symantec team could not yet confirm whether the exploits worked, but added, “They look legitimate, they look like they do work.”

Hogan said, “Most of what we’ve seen so far does require valid authenticated access [to exploit], but the vulnerabilities may allow someone to get access at a higher level.”

He urged IT administrators to apply the patches as soon as possible. “There’s a buffer overflow vulnerability that potentially could allow access not just to the database but essentially to the machine. There may be some more in there that do worse things,” he said.

Oracle’s patch release, part of its quarterly cycle, follows critical out-of-cycle security patches issued in February and March.

Earlier this month, Oracle inadvertently alerted hackers to a bug in its Server platform, accidentally publishing information that could be used to exploit it. The information has since been withdrawn.