Oracle releases critical patches for database security

Security expert warns of 'killer vulnerabilities' in the database server, saying Oracle's severity ratings do not reflect the real nature of the threat they pose

Oracle released a set of 59 patches on Monday to fix security vulnerabilities across its entire range of database, application, and middleware products.

The patches include fixes for three critical flaws affecting virtually every supported version of the company's Database Server technology.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

They were released as part of Oracle's scheduled quarterly Critical Patch Updates, and included a total of 28 fixes for remotely exploitable vulnerabilities, which it considers to be a critically important flaw because it allows for systems to be exploited over the network without the need for a username or password.

Of the 59 patches announced today, 13 are for security problems in Oracle's suite of database technologies. Three are critical because they address particularly dangerous flaws in all Oracle database server versions, said Josh Shaul, director of product management at Application Security, a New York-based security vendor.

One of the flaws, CVE-2010-0902, allows any user who is authenticated to an Oracle database to gain complete administrative control of it. "They can view the database, modify it, or shut down the database server. They can essentially become a database administrator," Shaul said.

The two other critical database flaws can potentially be exploited without a user even needing to be logged into the database. The flaws allow attackers to trigger denial of service (DoS) conditions against a database so as to make it unavailable to legitimate users.

"These are three really killer vulnerabilities that affect the database," Shaul said. Oracle's severity rating for the flaws does not reflect the real nature of the threat they pose, he added.

The Solaris product suite that Oracle acquired from its purchase of Sun Microsystems, meanwhile, accounted for 21 of the patches released today, 7 of which are remotely exploitable.

Seventeen of the patches are for flaws in Oracle's e-business, supply chain, PeopleSoft and JD Edwards product suites, another seven fix flaws in Oracle's Fusion Middleware products, while one patches a hole in Oracle Enterprise Manager Grid control.

The number of patches released today is relatively small compared with some previous releases. In January 2006, Oracle issued 82 patches while it issued 101 in the same year's October update.

In the past, Oracle administrators have been notoriously slow at deploying security patches especially in database environments. Previous studies have shown Oracle environments to often be months behind in deploying the company's security patches even in instances where flaws might present considerable danger.

Much of that reluctance has stemmed from concerns about security patches causing disruptions to production databases, and from the time needed to test and deploy the patches.

More recently, however, there are signs that companies are getting better at deploying Oracle database patches, thanks to the availability of patch management tools, Shaul said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

This story, "Oracle releases critical patches for database security" was originally published by Computerworld.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies