Attackers could potentially exploit the most severe flaws to compromise the database server or the host operating system, the Redwood Shores, Calif.-based, database giant said.
The Oracle Critical Patch Update contained patches for 13 holes in its Oracle Database. Fixes were also made available for its Enterprise Manager in the 9i database, Workflow Cartidge and Ultra Search component. The software vendor said two of the holes could be remotely exploitable without the need for a user name and password.
Two database vulnerabilities addressed by the CPU affect Oracle Database client-only installations. Oracle said they could be exploited by an attacker where a privileged operating system process is passing input from an unprivileged source to the affected program.
A patch was also issued to plug hole in Oracle's Secure Enterprise Search component.
Addressing Oracle's database vulnerabilities, David Litchfield, managing director at UK-based NGS (Next Generation Security) Software said Oracle's CPU addresses issues related to flaws first reported in 2002 and 2004.
"This may indicate that Oracle is now in a position where they can 'clear the backlog' indicating that most of the more important flaws have been found and patched," Litchfield said in a report he issued analyzing the latest batch of patches. "If this is correct then we should see smaller patches being released in future CPUs."
Litchfield said up to 39 other issues, some high risk, are still awaiting a patch. Five security fixes were released for Oracle Application Server. The software vendor also repaired a Workflow Cartridge flaw and an Oracle Secure Enterprise Search flaw that affected Oracle Application Server. Oracle said its
Application Server 10g Release 2 (10.1.3.0.0) is not affected by Application Server specific vulnerabilities, but includes Oracle Database code that needs to be patched by applying the Oracle Application Server patch.
The CPU also contained a fix for the Oracle Collaboration Suite and 11 patches for the Oracle E-Business Suite. Two of the vulnerabilities affecting the business software could be remotely executed over a network without a user name or password.