September 29, 2016

Oracle Fixes 78 Vulnerabilities But Questions Arise About Fundamental Flaws in its Flagship Database Product

(LiveHacking.Com) – Oracle has released 78 security fixes, for its flagship database software, Fusion Middleware, e-Business Suite, Supply Chain, PeopleSoft, JDEdwards and Sun products, as part of January’s Critical Patch Update (CPU). Included were two fixes for the Oracle Database Server, seventeen for Oracle Sun products, three for Oracle Virtualization and a massive 27 in Oracle MySQL. Only 16 of the 78 fixes are considered critical, or could be remotely exploited without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.” said Oracle in the advisory.

The highest scored vulnerabilities, under the Common Vulnerability Scoring Standard (CVSS), are found in the Solaris operating system. The first is a denial of service bug and the second a Kerberos issue.

Oracle also patched MySQL Server 27 times, including one vulnerability in the MySQL protocol that allows a remote attacker to significantly affect the availability of the database. Another, higher-rated vulnerability, while not remotely exploitable without authentication, could both affect availability and potentially expose the confidentiality of data in the database. Some pundits are accusing Oracle of “throwing in the towel” on patching its flagship database as it received only two patches compared to MySQL’s 27.

However, now that the CPU has been issued, InfoWorld has published a story about “a flaw in Oracle’s flagship database software that could have serious repercussions for Oracle database customers, potentially compromising the security and stability of Oracle database systems.” When they contacted Oracle about the flaw they were asked, in the interest of security, to withhold the story until Oracle had time to develop and test patches that addressed the flaw.

 

Oracle to Patch 78 Security Vulnerabilities Across Hundreds of its Products

(LiveHacking.Com) – Oracle has published a critical patch update pre-release announcement where it outlines its intention to patch 78 security vulnerabilities across hundreds of its products. Scheduled for Tuesday, January 17, 2012, the jumbo set of patches affect products such as Oracle Database (10g and 11g), VirtualBox and MySQL.

For Oracle Database  there are two security fixes one of which may be remotely exploitable without authentication. This Critical Patch Update also contains three new security fixes for Oracle VM VirtualBox and Oracle Virtual Desktop Infrastructure (VDI), however none of these vulnerabilities may be remotely exploitable without authentication. The MySQL patch set is larger with 27 vulnerabilities scheduled to be patched. One of these vulnerabilities may be remotely exploitable without authentication.

Affected Products and Components

Security vulnerabilities addressed by Oracle’s Critical Patch Update affect the following products:

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Database 10g Release 1, version 10.1.0.5
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0
  • Oracle Outside In Technology, versions 8.3.5, 8.3.7
  • Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)
  • Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
  • Oracle PeopleSoft Enterprise CRM, version 8.9
  • Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1
  • Oracle PeopleSoft Enterprise PeopleTools, version 8.52
  • Oracle JDEdwards, version 8.98
  • Oracle Sun Product Suite
  • Oracle Sun Ray, version 5.3
  • Oracle VM VirtualBox, version 4.1
  • Oracle Virtual Desktop Infrastructure, version 3.2
  • Oracle MySQL Server, versions 5.0, 5.1, 5.5, 5.6