October 16th, 2009

Oracle to fix 38 database, product vulnerabilities

Posted by Ryan Naraine @ 10:12 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Open source, Oracle, Passwords, Responsible disclosure, Vulnerability research

Tags: Database, Oracle Corp., Vulnerability, Authentication, Security, Ryan Naraine

Oracle has announced plans to ship a Critical Patch Update (CPU) with fixes for at least 38 security vulnerabilities in a wide range of database and server products.

The most serious vulnerabilities (CVSS score of 10.0) affect Oracle Core RDBMS, Oracle JRockit and Oracle Network Authentication. The patches are due on Tuesday, October 20, 2009.

According to an advance notice from Oracle, the following products and components will be affected by the October CPU:

• Oracle Database: 16 new security vulnerability fixes for the Oracle Database. Six of these vulnerabilities may be remotely exploited without authentication, i.e., may be exploited over a network without the need for a username and password.
• Oracle Application Server: Three new security fixes for the Oracle Application Server. Two of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
• Oracle E-Business and Applications Suite: Eight new security fixes for the this product. Five of these vulnerabilities may be remotely exploitable without authentication.
• Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne: Four new security fixes for the PeopleSoft and JD Edwards Suite. None of these vulnerabilities may be remotely exploitable without authentication.
• Oracle BEA Products: Six new security fixes for the BEA Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Oracle BEA Products affected:

• • Oracle JRockit
  • Oracle WebLogic Portal
  • Oracle WebLogic Server

• Oracle Industry Applications Products Suite: One 1 new security fix for the Oracle Industry Applications Products Suite. This vulnerability is not remotely exploitable without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” the company said.