01:26 PM

Oracle Patches 45 Bugs In Quarterly Critical Update

Seventeen of the flaws affect Oracle's Database Server, and 13 of the total 45 could be exploited remotely without authentication.

Oracle late Tuesday released its quarterly Critical Patch Update, fixing a total of 45 vulnerabilities across its product lines.

An attacker could remotely exploit 13 of the bugs without authentication. And 17 of the flaws being fixed this week affect the company's flagship product -- Oracle Database Server. Two of those database bugs also are remotely exploitable without authentication, according to Eric Maurice, a security manager with Oracle, writing in a blog post.

The vulnerabilities affect Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise.

Oracle gives its most severe security rating to two flaws in its Oracle PeopleSoft Enterprise software. Those two bugs scored a 4.8 on the standard Common Vulnerability Scoring System (CVSS), which gives bugs a 0 to 10 ranking, with 10 being the most severe. Oracle doesn't give vulnerabilities a "critical" or "important" rating like Microsoft does.

According to an Oracle spokesman, at least one bug in the Oracle E-Business Suite received a 4.7, and the highest score among the database bugs was 4.2.

"Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," according to the company's own advisory. "Depending on your environment, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends changes are tested on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem."

The Internet Storm Center also is recommending that IT managers apply the updates "in a timely manner" since the flaws could enable attackers to compromise data in corporate databases.

Late last week, Oracle announced it would be releasing 46 patches, but the number released was one short at 45.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 Digital Issue, April 2015
The 27th annual ranking of the leading US users of business technology
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of April 19, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.