Oracle yesterday deployed 78 different security fixes aimed at patching holes throughout its various database products.
As part of the company's January critical patch update, 16 of the 78 fixes were considered critical, meaning they could be exploited remotely. The fixes stretched across much of Oracle's product lineup, including Oracle Database Server, Fusion Middleware, E-Business Suite, Oracle Sun products, MySQL, VirtualBox, and PeopleSoft.
One of the patches addresses a major flaw that could compromise the security of Oracle database systems. Initially researched by InfoWorld, the flaw was shared with Oracle before the tech publication went live with the news, giving the company enough time to develop a fix.
Due to the possibility of a remote attack, Oracle is advising its customers to apply the fixes as soon as possible, especially since the workaround would be more trouble than it's worth.
"Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack," the company said in its advisory. "For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack."
But Oracle cautioned that these approaches could break the functionality of the database application and urged customers to test these changes on non-production system. Further, "neither approach should be considered a long-term solution as neither corrects the underlying problem," added the company.
Either way, database administrators have plenty of work cut out for them.
Qualys Chief Technology Office Wolfgang Kandek has devised a plan of action for IT admins who need to patch their database systems.
"We recommend addressing vulnerabilities on systems that are Internet accessible first," Kandek said in a blog. "Most likely this will mean fixing Weblogic/Apache and Solaris vulnerabilities first, followed by MySQL. Oracle RDMBS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all. A good map of your network will help in determining where to start."