Oracle fixes 101 flaws

Oracle released its quarterly critical patch update (CPU) on 17 October, fixing 101 flaws across the company's product line. Attackers could exploit 45 of them from remote locations without a username or password.

The troubling thing about this quarter is that several flaws that were patched before seem to have reappeared. Amichai Shulman, CTOImperva Inc.

"The most severe issues are SQL injection and buffer overflow vulnerabilities," said Amichai Shulman, CTO of Foster City, Calif.-based Imperva Inc., a data security firm. Attackers can exploit SQL injection flaws to access the core of the database with full administrative privileges, he said, adding, "The troubling thing about this quarter is that several flaws that were patched before seem to have reappeared."

In its Oracle security blog, Chicago-based security firm Integrigy Corp. noted that 45 of the 101 flaws are remotely exploitable.

Overall, the company said, the number of flaws this quarter is high compared to previous CPUs, but includes a similar number of database and application server vulnerabilities. "The spike is due to 35 vulnerabilities in Oracle Application Express (formerly HTMLDB)," the company said.

While the CPU offers little detail on the nature of the flaws, there is more information about the number of flaws and their severity than what database administrators (DBAs) have seen in the past. Oracle announced last week that more detail would be added to the bulletins in response to customer feedback. The company has also adopted the Common Vulnerability Scoring System (CVSS) to rate the severity of its flaws.

Here is a summary of the flaws fixed in the latest CPU:

Oracle Database: The patch contains 63 fixes for the database products, including:

• Twenty-two fixes for the Oracle Database itself.
• Six fixes for Oracle HTTP Server, five of which attackers could exploit remotely without authentication.
• Thirty-five fixes for Oracle Application Express, 25 of which attackers could remotely exploit without authentication.

Oracle Application Server: The CPU contains 14 fixes for Oracle Application Server, 13 of which attackers could remotely exploit without authentication.

Oracle Collaboration Suite: There are no new Oracle Collaboration Suite fixes this quarter.

Oracle E-Business Suite and Applications: The CPU contains 13 fixes for the Oracle E-Business Suite. Attackers could exploit one of these vulnerabilities remotely without a username and password.

Oracle Enterprise Manager: There are no new fixes for Oracle Enterprise Manager in this CPU.

Oracle PeopleSoft Enterprise and JD Edwards Enterprise One: The CPU contains eight fixes for Oracle PeopleSoft Enterprise PeopleTools and Enterprise Portal Solutions, and one fix for JD Edwards EnterpriseOne. Attackers could exploit one of the PeopleSoft flaws remotely without a username and password. The JD Edwards EnterpriseOne vulnerability is not remotely exploitable without authentication.