Oracle drops critical database server patch bundle
Oracle has dropped the first quarterly critical patch update for 2009 — with patches for 41 vulnerabilities in a wide range of database server products.
The January 2009 CPU includes 20 new security fixes for the company’s flagship database product lines, 4 new security fixes for the Oracle Application Server, 9 vulnerabilities in Oracle Secure Backup, 4 new security fixes for the Oracle Applications Suite, and 6 new security fixes for the PeopleSoft and JDEdwards Suite.
On the Oracle Database side, here’s a breakdown of the main patches:
- 10 new security fixes for the Oracle Database. None of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password. 2 of these fixes are applicable to client-only installations, i.e. installations that do not have an Oracle Database installed.
- 9 new security fixes for the Oracle Secure Backup product. All of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.
- 1 new security fix for the Oracle TimesTen Data Server. This vulnerability is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.
According to Alexander Kornbrust from Red Database Security, the most critical bug could allow any user with execute privileges on dbms_ijob (e.g. DBA or hacker/user with DBA privs) to bypass Oracle Auditing completely.
This means no traces in the AUD$ and/or the operating system! All databases are affected.
Risk matrix definitions, including CVSS scores for all the vulnerabilities, are included in Oracle’s advisory.
* Image source: Oracle Security at Amazon.com.
Post a Comment