[ISN] Oracle ships critical patch update for database, applications

From: InfoSec News (alerts@private)
Date: Wed Oct 17 2007 - 23:57:49 PDT


http://www.infoworld.com/article/07/10/17/Oracle-ships-critical-update-for-database-apps_1.html

By Sumner Lemon
IDG News Service
October 17, 2007

Oracle released its latest critical patch update on Wednesday, fixing 51 
vulnerabilities in a range of products, including its flagship database 
line.

Oracle's critical patch update fixes holes in Oracle Database Server, 
Oracle Application Server, Oracle Enterprise Manager, Oracle E-Business 
Suite, and Oracle PeopleSoft Enterprise. Twenty-seven of the patched 
vulnerabilities are found in Oracle Database Server, including the most 
serious vulnerability fixed.

"The most critical, rating 6.5 with the new CVSS 2.0 metric, is a 
problem in the import utility," said Alexander Kornbrust, managing 
director of Red Database Security, which found 13 of the 27 
vulnerabilities in Oracle Database Server that are patched with this 
update.

CVSS 2.0, or Common Vulnerability Scoring System version 2.0, is a 
rating system developed by the Forum of Incident Response and Security 
Teams as a way of measuring the severity and urgency of IT 
vulnerabilities. The vulnerabilities patched by Oracle's latest critical 
update have CVSS 2.0 ratings from 4.0 to 6.5.

The vulnerability in the import utility could allow an attacker to run 
code on a database as the user SYS, Kornbrust said. SYS is the most 
powerful user in an Oracle database, and is able to do and see more than 
a typical database administrator.

Kornbrust said database administrators can reduce their exposure to 
these and other vulnerabilities by hardening their databases and 
installing the minimum amount of features.

The next Oracle critical update is set for release in January.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Oct 18 2007 - 00:22:58 PDT