Oracle's July 2007 CPU has 45 security fixes

Oracle Corp.'s July 2007 Critical Patch Update (CPU) contains 45 security fixes for flaws across the company's product line attackers could exploit to tamper with corporate databases without the need for a username and password.

The Redwood Shores, Calif.-based database giant released the CPU Tuesday afternoon with one fix fewer than it predicted in last week's advance bulletin. "Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," the vendor said in its CPU bulletin.

The CPU fixes:

• Nineteen flaws in Oracle Database products, two of which attackers could exploit remotely over a network without the need for a username and password.
• Four flaws in Oracle Application Server, three of which attackers could exploit remotely without authentication.
• A flaw in Oracle Collaboration Suite that may be remotely exploitable without authentication.
• Fourteen flaws in Oracle E-Business Suite (EBS), six of which attackers could exploit over a network without the need for a username and password.
• Three flaws in Oracle PeopleSoft Enterprise PeopleTools, two in PeopleSoft Enterprise Customer Relationship Management and two in PeopleSoft Enterprise Human Capital Management. One of the flaws in Oracle PeopleSoft Enterprise PeopleTools may be remotely exploitable without a username and password.

The Application Defense Center of Foster City, Calif.-based Imperva Inc. discovered one of the Oracle E-Business Suite flaws. According to Imperva's Oracle E-Business Suite advisory, attackers could exploit an XSS vulnerability in the product to steal sensitive data and launch phishing attacks. Successful attackers could steal information from users of the business suite whether they are employees of the organization that deploys the business suite or partners that access it in a self-service mode, said Amichai Shulman, chief technology officer of Imperva and director of its Application Defense Center.

"The flaw is in the Web interface and doesn't require authentication," he said. "It's a cross-site scripting vulnerability that allows attackers to execute malicious code on a victim's browser by sending specially crafted links to the targeted application. The attacker could use this to gain unauthorized access to an E-Business suite."

Shulman said the flaw is especially critical for those who expose their E-Business suite to the Internet through partners, vendors and customers.