Oracle patches 36 security holes

Oracle Corp. on Tuesday patched 36 security holes in its products including fixes for its database management system, application server, E-Business Suite and JD Edwards and PeopleSoft software.

Attackers could potentially exploit the most severe flaws to compromise the database server or the host operating system, the Redwood Shores, Calif.-based, database giant said.

The Oracle Critical Patch Update contained patches for 13 holes in its Oracle Database. Fixes were also made available for its Enterprise Manager in the 9i database, Workflow Cartidge and Ultra Search component. The software vendor said two of the holes could be remotely exploitable without the need for a user name and password.

Two database vulnerabilities addressed by the CPU affect Oracle Database client-only installations. Oracle said they could be exploited by an attacker where a privileged operating system process is passing input from an unprivileged source to the affected program.

Oracle security: Oracle to patch 37 flaws: Oracle said it would patch 37 flaws in its preview of the CPU. Jan. 17: Oracle releases 51 security fixes The flaws are across Oracle's product line and attackers could exploit them remotely to compromise vulnerable systems. Podcast: The state of Oracle security: In this edition of Security Wire Weekly, Oracle DBA Jon Emmons gives his observations about Oracle's new critical patch update format. Report: Microsoft beats Oracle on security: In a new whitepaper, security guru David Litchfield of Next Generation Security explains why Microsoft has a tighter grasp on its database defenses than Oracle.

A patch was also issued to plug hole in Oracle's Secure Enterprise Search component.

Addressing Oracle's database vulnerabilities, David Litchfield, managing director at UK-based NGS (Next Generation Security) Software said Oracle's CPU addresses issues related to flaws first reported in 2002 and 2004.

"This may indicate that Oracle is now in a position where they can 'clear the backlog' indicating that most of the more important flaws have been found and patched," Litchfield said in a report he issued analyzing the latest batch of patches. "If this is correct then we should see smaller patches being released in future CPUs."

Litchfield said up to 39 other issues, some high risk, are still awaiting a patch. Five security fixes were released for Oracle Application Server. The software vendor also repaired a Workflow Cartridge flaw and an Oracle Secure Enterprise Search flaw that affected Oracle Application Server. Oracle said its

Application Server 10g Release 2 (10.1.3.0.0) is not affected by Application Server specific vulnerabilities, but includes Oracle Database code that needs to be patched by applying the Oracle Application Server patch.

The CPU also contained a fix for the Oracle Collaboration Suite and 11 patches for the Oracle E-Business Suite. Two of the vulnerabilities affecting the business software could be remotely executed over a network without a user name or password.