Oracle drops critical database server patch bundle

Oracle has dropped the first quarterly critical patch update for 2009 — with patches for 41 vulnerabilities in a wide range of database server products.

The January 2009 CPU includes 20 new security fixes for the company’s flagship database product lines, 4 new security fixes for the Oracle Application Server, 9 vulnerabilities in Oracle Secure Backup, 4 new security fixes for the Oracle Applications Suite, and 6 new security fixes for the PeopleSoft and JDEdwards Suite.

On the Oracle Database side, here’s a breakdown of the main patches:

  • 10 new security fixes for the Oracle Database. None of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password. 2 of these fixes are applicable to client-only installations, i.e. installations that do not have an Oracle Database installed.
  • 9 new security fixes for the Oracle Secure Backup product. All of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.
  • 1 new security fix for the Oracle TimesTen Data Server. This vulnerability is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.

According to Alexander Kornbrust from Red Database Security, the most critical bug could allow any user with execute privileges on dbms_ijob (e.g. DBA or hacker/user with DBA privs) to bypass Oracle Auditing completely.

This means no traces in the AUD$ and/or the operating system! All databases are affected.

Risk matrix definitions, including CVSS scores for all the vulnerabilities, are included in Oracle’s advisory.

* Image source: Oracle Security at Amazon.com.

[Source: zdnet]


0 comments