Oracle Patches 36 Bugs - InformationWeek
Software // Information Management
10:01 PM
Connect Directly
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

Oracle Patches 36 Bugs

Three of the fixes with the highest vulnerability rating are for the core Oracle Database Server itself.

Oracle issued a small, critical security patch Tuesday with 36 bug fixes covering several elements of its product line, including Oracle E-Business Suite and J.D. Edwards applications and the WebLogic Application Server.

But for the first time, three of the fixes with the highest vulnerability rating, 10, were for the core Oracle Database Server itself. The ratings are set by a government, university and industry group as the Common Vulnerability Scoring System.

Oracle discloses the rating to DBA's to help them assess how quickly they need to address the fixes in the patch. The 10 rating indicated three of the fixes addressed security exploits that could be executed by a hacker at a remote location with no claim to a proper user authentication.

Three other fixes were for the database server, although their CVSS ratings were less severe at 6.5. The versions of the database server affected included Oracle 11g release; Oracle 10g Release 2, including the and releases; Oracle 10g Release; and Oracle 9i Release 2, including and

Oracle security patches are issued each quarter on the Tuesday closest to the 15th of the month. Oracle recognizes outsiders who contribute to the patches, and Tuesday's critical update recognized Aviv Pode, head of security research at security firm Sentrigo, and Yaniv Azaria, a researcher in the Application Defense Center lab of the security firm, Imperva.

Imperva CTO Amachai Shulman said Tuesday patch was a case of Oracle fixing for a second time a bug that Imperva discovered a year ago. One of the lower-rated vulnerabilities was exposed by Imperva last fall and Oracle announced a fix. The problem reappeared in Tuesday's critical patch as vulnerability CVE-2009-2001, which was labeled a medium risk at 6.5, under the CVSS ranking system. It is a PL/SQL exploit caused by a buffer overflow.

In some cases, a hacker using PL/SQL can enter instructions in a form by filling its underlying buffer beyond what the form requires. The database system, seeking the expected user entry, gets an instruction attacking the database instead.

Imperva "reported the problem a year ago," said Shulman. Oracle fixed the symptom "but not the root cause, leaving a way to successfully attack the database with a buffer overflow," he said in an interview. But this exposure was not subject to exploitation by a remote user lacking authentication, hence its 6.5 rating, he said.

"I don't think during the four years critical patches have been issued that any exposure to the databse server scored a ten. This time there were three of them," he said.

A rating of 10 from the Common Vulnerability Scoring System means it is in the "high" severity range of the ratings, with any rating between 7-10 considered high. Medium severity is rated at 4 -6.9 and low severity at 1-3.9. The CVSS system was set up by the National Institute of Standards and Technology, Carnegie Mellon University and security specialists in the computer industry. The group calls itself the Forum of Incident Response and Security Teams.

Oracle representatives could not be reached for comment.

InformationWeek Analytics has published a report on the 10 steps to effective data classification. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll