RealTime IT News

Oracle Patch Day: Critical Flaws Fixed

Database software giant Oracle has issued its first monthly security bulletin with patches for multiple "high risk" product flaws.

Facing a barrage of criticism from security experts for long delays in releasing fixes for security product flaws, the company issued an advisory (PDF file) to warn of potentially serious bugs in the Oracle Database Server, the Oracle Application Server, the Oracle Enterprise Manager and the Oracle Collaboration Suite.

Specific details of the vulnerabilities were not released, but Oracle said malicious attackers could exploit the holes to hijack services, manipulate data, expose sensitive system information and perform Denial of Service attacks .

"The unpatched exposure risk is high; exploiting some of these vulnerabilities requires network access, but no valid user account," Oracle said. "There are no workarounds that fully address the security vulnerabilities ... Oracle strongly recommends that customers apply the available patches without delay."

The company posted a patch availability matrix for customers online.

Security alert clearinghouse Secunia rates the flaws as "highly critical" and released a breakdown of affected Oracle product versions.

Research firm Integrigy, which helped Oracle identify some of the vulnerabilities, also issued a separate alert with a warning that they "can be exploited in all Oracle Applications implementations."

"The vulnerabilities include buffer overflows, SQL injection issues, and denial of service problems -- many of which are considered critical since an attacker can effectively gain control over an application or database server without a valid login," Integrigy said.

"All Oracle Applications customers should consider these vulnerabilities extremely high risk and apply the Oracle patches at the earliest possible opportunity. Customers with Internet facing application servers should consider applying these patches as soon as possible," the company added.

The month-end release of a mega advisory follows a decision by Oracle to adopt a monthly patch cycle. The new policy is similar to Microsoft's monthly security update, which is scheduled for the second Tuesday of every month.