[ISN] Oracle plugs 101 security flaws

From: InfoSec News (alerts@private)
Date: Tue Oct 17 2006 - 23:22:23 PDT


http://news.com.com/Oracle+plugs+101+security+flaws/2100-1002_3-6126864.html

By Joris Evers
Staff Writer, CNET News.com
October 17, 2006

As part of its quarterly patch cycle, Oracle released fixes on Tuesday 
for 101 security vulnerabilities across its products.

The Critical Patch Update includes remedies for 63 flaws related to 
Oracle's widely-used database products. There are also patches for 14 
vulnerabilities in Application Server, 13 related to E-Business Suite, 8 
in PeopleSoft products, and one each in Oracle Pharmaceuticals and JD 
Edwards software.

"In terms of critical fixes, the majority of them lie within the 
application server product," said Darius Wiles, the senior manager for 
security alerts at Oracle. "There is a number that could be exploited 
both remotely and without authentication, and those are the ones that 
customers should be most concerned about and fix as soon as possible."

Oracle's October security update is the first of its quarterly bulletins 
to contain severity ratings. Also, the alert now more clearly denotes 
which flaws could be exploited remotely by anonymous attackers, the most 
serious type of vulnerability.

Many of the issues are significant. Thirty of the Oracle Database 
related flaws open systems up to unauthenticated, remote attacks, 
according to the alert. For Application Server, 13 flaws carry that 
risk, as does one in E-Business Suite and one in PeopleSoft products.

Of all the database-related flaws, 35 are in Oracle Application Express, 
and 25 of those carry the most serious risk. Application Express is an 
optional installation and isn't used by many Oracle customers, Wiles 
said. Application Server is more widely used and as such, more systems 
are at risk of flaws associated with that product, he noted.

"There is a lot of fixes this timethey seem to be getting on top of the 
bug fixing," Pete Finnigan, a security specialist in York, England, 
wrote on his blog Tuesday. "I am impressed by the new style advisory; 
it's not perfect, it is much better than it was."

Oracle's next patch day is Jan. 16.

Copyright 1995-2006 CNET Networks, Inc. All rights reserved.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Oct 17 2006 - 23:26:34 PDT