01:26 PM
Connect Directly

Oracle Patches 45 Bugs In Quarterly Critical Update

Seventeen of the flaws affect Oracle's Database Server, and 13 of the total 45 could be exploited remotely without authentication.

Oracle late Tuesday released its quarterly Critical Patch Update, fixing a total of 45 vulnerabilities across its product lines.

An attacker could remotely exploit 13 of the bugs without authentication. And 17 of the flaws being fixed this week affect the company's flagship product -- Oracle Database Server. Two of those database bugs also are remotely exploitable without authentication, according to Eric Maurice, a security manager with Oracle, writing in a blog post.

The vulnerabilities affect Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise.

Oracle gives its most severe security rating to two flaws in its Oracle PeopleSoft Enterprise software. Those two bugs scored a 4.8 on the standard Common Vulnerability Scoring System (CVSS), which gives bugs a 0 to 10 ranking, with 10 being the most severe. Oracle doesn't give vulnerabilities a "critical" or "important" rating like Microsoft does.

According to an Oracle spokesman, at least one bug in the Oracle E-Business Suite received a 4.7, and the highest score among the database bugs was 4.2.

"Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," according to the company's own advisory. "Depending on your environment, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends changes are tested on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem."

The Internet Storm Center also is recommending that IT managers apply the updates "in a timely manner" since the flaws could enable attackers to compromise data in corporate databases.

Late last week, Oracle announced it would be releasing 46 patches, but the number released was one short at 45.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.