On deck from Oracle: 45 critical database, server patches

On deck from Oracle: 45 critical database, server patches

Summary: Database server giant Oracle plans to ship patches for a total of 45 security vulnerabilities on Thursday (July 17), bringing the vulnerability count for 2008 to a whopping 112.Since January 2006 (this CPU included), Oracle has shipped fixes for a total of  572 vulnerabilities.

SHARE:

45 critical database, server patchesDatabase server giant Oracle plans to ship patches for a total of 45 security vulnerabilities on Thursday (July 17), bringing the vulnerability count for 2008 to a whopping 112.

Since January 2006 (this CPU included), Oracle has shipped fixes for a total of  572 vulnerabilities.

According to a pre-release analysis, the vulnerabilities affect hundreds of products, including all supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions.

This is the first Critical Patch Update that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.

In this patch batch, Oracle will provide patches for 11 Oracle Database vulnerabilities.  According to Integrigy CTO Stephen Kost, some of the database flaws can be exploited using only PUBLIC privileges accessible by all database accounts.

The July CPU will also cover 9 new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication.   For the Oracle E-Business Suite 11i and R12 products, there are 6 new vulnerabilities, some of which can be readily exploited by an unprivileged user.

Kost recommends that this quarter's security patches should be deemed critical.

Topics: Enterprise Software, Data Centers, Data Management, Hardware, Oracle, Security, Servers, Software, Storage

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Unbreakable.

    nt
    KTLA
  • RE: On deck from Oracle: 45 critical database, server patches

    so tables turned? MS SQL 2005 "zero" known vulnerabilities in 2.5years..

    looks like SDL works well for Microsoft and its clients
    soulxfer
    • Hummm - zero?

      Version: 9.00.3068.00
      Download Size: 26.2 MB - 102.1 MB*

      Microsoft Security Bulletin MS08-040 ? Important Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
      Published: July 8, 2008 | Updated: July 11, 2008
      jpeternel
      • Zero Critical - yes

        Microsoft Security Bulletin MS08-040 is important, not a critical. But sure if you must count it then yes 1 vs 45.
        bnordberg
  • RE: On deck from Oracle: 45 critical database, server patches

    It is important to be clear about what "be exploited using only PUBLIC privileges" means, so readers don't get the wrong idea. From the report ...

    There are 11 database vulnerabilities and NONE [emphasis added] are remotely exploitable without authentication, which is consistent with previous CPUs. Usually, the vast majority of database vulnerabilities require authentication...."

    Note that only users with valid user names and passwords can access a database at all (this is what is meant by authentication). Users outside the enterprise and others without legitimate credentials CANNOT exploit these vulnerabilities.
    kenjacobs