Oracle Patches 45 Bugs In Quarterly Critical Update
Seventeen of the flaws affect Oracle's Database Server, and 13 of the total 45 could be exploited remotely without authentication.
Oracle late Tuesday released its quarterly Critical Patch Update, fixing a total of 45 vulnerabilities across its product lines.
An attacker could remotely exploit 13 of the bugs without authentication. And 17 of the flaws being fixed this week affect the company's flagship product -- Oracle Database Server. Two of those database bugs also are remotely exploitable without authentication, according to Eric Maurice, a security manager with Oracle, writing in a blog post.
The vulnerabilities affect Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise.
Oracle gives its most severe security rating to two flaws in its Oracle PeopleSoft Enterprise software. Those two bugs scored a 4.8 on the standard Common Vulnerability Scoring System (CVSS), which gives bugs a 0 to 10 ranking, with 10 being the most severe. Oracle doesn't give vulnerabilities a "critical" or "important" rating like Microsoft does.
According to an Oracle spokesman, at least one bug in the Oracle E-Business Suite received a 4.7, and the highest score among the database bugs was 4.2.
"Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," according to the company's own advisory. "Depending on your environment, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends changes are tested on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.