Oracle to Plug 37 Security Holes

Oracle (Nasdaq: ORCL) will be releasing a Critical Patch Update next Tuesday that will remedy 37 vulnerabilities across several product lines, including 13 in the Oracle Database and five in the Application Server.

Some of the vulnerabilities are part of Oracle's family of acquired products. For instance, this update includes two new security fixes for Oracle PeopleSoft Enterprise PeopleTools, one fix for PeopleSoft Enterprise Human Capital Management and one for JD Edwards EnterpriseOne and JD Edwards OneWorld Tools.

In addition, there are 11 new security fixes for the Oracle E-Business Suite, two of which may be remotely exploited without authentication.

Components of Oracle's Life Sciences Applications also should be patched, the company said.

Patchy History

Of the 37 bugs, seven are serious and may be remotely exploitable without authentication, according to Oracle's prerelease advisory.

However, compared to earlier patch releases, this one suggests that Oracle's security vulnerabilities may be declining, Paul Henry, vice president of technology evangelism at Secure Computing, told CRM Buyer.

"In October, they issued a patch for 101 vulnerabilities," he noted.

Targeting Databases

That said, the remotely executable flaws addressed in this particular update are serious bugs that definitely needed patching, Henry said.

Such an unpatched vulnerability could allow an attacker to extract confidential data, to change data, or even to gain control of an application or the system it is running on, Monty Ijzerman, threat research lead of McAfee Avert Labs, told CRM Buyer.

"Exactly what the attacker's possibilities are might be more clear after Oracle's patch release next week and the releases of the corresponding advisories by independent database researchers," he said.

These flaws are particularly troublesome because Oracle databases tend to be exposed to the Internet, giving hackers an open path the network, Roger Thompson, chief technology officer for Exploit Prevention Labs, told CRM Buyer.

"Some of the vulnerabilities could be used to perform SQL injections that can affect the data in a Web site," he explained. "The site then becomes an an unwitting and innocent lure for hackers."

The update covers vulnerabilities in the following Oracle products:

• Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
• Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
• Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8
• Oracle Secure Enterprise Search 10g Release 1, version 10.1.8
• Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0
• Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
• Oracle Application Server 10g (9.0.4), version 9.0.4.3
• Oracle10g Collaboration Suite Release 1, version 10.1.2
• Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
• Oracle E-Business Suite Release 12, version 12.0.0
• Oracle Enterprise Manager 9i Release 2, versions 9.2.0.7, 9.2.0.8
• Oracle Enterprise Manager 9i, version 9.0.1.5
• Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48
• Oracle PeopleSoft Enterprise Human Capital Management version 8.9
• JD Edwards EnterpriseOne Tools version 8.96
• JD Edwards OneWorld Tools SP23
• Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS
• Oracle9i Database Release 2, versions 9.2.0.5
• Oracle Database 10g Release 2, version 10.2.0.1.