http://www.infoworld.com/article/07/10/17/Oracle-ships-critical-update-for-database-apps_1.html By Sumner Lemon IDG News Service October 17, 2007 Oracle released its latest critical patch update on Wednesday, fixing 51 vulnerabilities in a range of products, including its flagship database line. Oracle's critical patch update fixes holes in Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Twenty-seven of the patched vulnerabilities are found in Oracle Database Server, including the most serious vulnerability fixed. "The most critical, rating 6.5 with the new CVSS 2.0 metric, is a problem in the import utility," said Alexander Kornbrust, managing director of Red Database Security, which found 13 of the 27 vulnerabilities in Oracle Database Server that are patched with this update. CVSS 2.0, or Common Vulnerability Scoring System version 2.0, is a rating system developed by the Forum of Incident Response and Security Teams as a way of measuring the severity and urgency of IT vulnerabilities. The vulnerabilities patched by Oracle's latest critical update have CVSS 2.0 ratings from 4.0 to 6.5. The vulnerability in the import utility could allow an attacker to run code on a database as the user SYS, Kornbrust said. SYS is the most powerful user in an Oracle database, and is able to do and see more than a typical database administrator. Kornbrust said database administrators can reduce their exposure to these and other vulnerabilities by hardening their databases and installing the minimum amount of features. The next Oracle critical update is set for release in January. __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Thu Oct 18 2007 - 00:22:58 PDT