Oracle released its quarterly
critical patch update (CPU) on 17 October,
fixing 101 flaws across the company's product line. Attackers
could exploit 45 of them from remote locations without a
username or password.
 | | | | | The troubling thing about this
quarter is that several flaws that were patched before seem to have
reappeared.
Amichai Shulman,
CTOImperva Inc. |
| | | | | |
| |
|
"The most severe issues are SQL injection and buffer overflow
vulnerabilities," said Amichai Shulman, CTO of Foster City,
Calif.-based Imperva Inc., a data security firm. Attackers can
exploit SQL injection flaws to access the core of the database with
full administrative privileges, he said, adding, "The troubling
thing about this quarter is that several flaws that were patched
before seem to have reappeared."
In its Oracle security blog, Chicago-based security
firm Integrigy Corp. noted that 45 of the 101 flaws are remotely
exploitable.
Overall, the company said, the number of flaws this quarter is
high compared to previous CPUs, but includes a similar number of
database and application server vulnerabilities. "The spike is due
to 35 vulnerabilities in Oracle Application Express (formerly
HTMLDB)," the company said.
While the CPU offers little detail on the nature of the flaws,
there is more information about the number of flaws and their
severity than what database administrators (DBAs) have seen in the
past. Oracle
announced last week that more detail would
be added to the bulletins in response to customer feedback. The
company has also adopted the Common Vulnerability Scoring System
(CVSS) to rate the severity of its flaws.
Here is a summary of the flaws fixed in the latest CPU:
Oracle Database: The patch contains 63 fixes for the
database products, including:
- Twenty-two fixes for the Oracle Database itself.
- Six fixes for Oracle HTTP Server, five of which attackers could
exploit remotely without authentication.
- Thirty-five fixes for Oracle Application Express, 25 of which
attackers could remotely exploit without authentication.
Oracle Application Server: The CPU contains 14 fixes for
Oracle Application Server, 13 of which attackers could remotely
exploit without authentication.
Oracle Collaboration Suite: There are no new Oracle
Collaboration Suite fixes this quarter.
Oracle E-Business Suite and Applications: The CPU
contains 13 fixes for the Oracle E-Business Suite. Attackers could
exploit one of these vulnerabilities remotely without a username
and password.
Oracle Enterprise Manager: There are no new fixes for
Oracle Enterprise Manager in this CPU.
Oracle PeopleSoft Enterprise and JD Edwards Enterprise
One: The CPU contains eight fixes for Oracle PeopleSoft
Enterprise PeopleTools and Enterprise Portal Solutions, and one fix
for JD Edwards EnterpriseOne. Attackers could exploit one of the
PeopleSoft flaws remotely without a username and password. The JD
Edwards EnterpriseOne vulnerability is not remotely exploitable
without authentication.