The patch was brought to light through a report issued by Integrigy Corp., a provider of application security software for Oracle products, one day after Oracle announced the problem. "There exist a number of high-risk security vulnerabilities in the Oracle Diagnostics Web pages and Java classes," the Integrigy report says. "The most significant issue with the Oracle Diagnostics is that some of the diagnostics can be executed without any authentication and it is possible to configure the diagnostics to be unrestricted." The patch also fixes several permission issues and SQL injection vulnerabilities.
This is the first time Oracle has notified its customers that a security fix was included in a software upgrade taking place between Critical Patch Updates, Oracle's quarterly software patch download, Integrigy says in its report. Normally, Oracle doesn't mention the security fixes in its non-critical patch updates in order to avoid tipping hackers off to any security vulnerabilities. Last week's move appears to be an attempt by Oracle to encourage its users to implement the diagnostics patch in a speedy fashion, although Oracle could not be reached for comment at press time. The company's next scheduled Critical Patch Update, it's sixth since beginning the program in January 2005, is scheduled for April 18.
The company's previous Critical Patch Update in January addressed 82 vulnerabilities, 19 of which were specific to the company's E-Business Suite. The rest of the vulnerabilities affected database, application server, collaboration suite, and enterprise manager products, as well as products inherited through its PeopleSoft and JD Edwards acquisitions. The previous update, in October, addressed 85 vulnerabilities, 17 of which were specific to its E-Business Suite.
The new patch is not expected to break any other Oracle products running in the same environment, a major concern for Oracle as it expands into new areas of the applications market. This isn't the first time Oracle has had to fix the diagnostics tools and functions within its applications. The company issued such fixes most recently in its April 2005 and July 2005 Critical Patch Updates.
Although Oracle doesn't endorse workarounds, Integrigy recommends blocking access to many of the Oracle Diagnostics Web pages and removing old versions of the Oracle Diagnostics, if the patch can't be applied. Integrigy also recommends this workaround for all Internet-facing Oracle E-Business Suite 11i application servers.