CERT today issued a security alert for a host of Oracle infrastructure and application software products.
The alert was triggered after Oracle revealed in its regular security update cycle that a number of its products were at risk from various vulnerabilities.
Oracle’s April update patches some 36 different vulnerabilities that affect is products.
According to the CERT advisory, “the impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.”
The issues affect 14 of Oracle’s products including: Oracle Database 10g, Oracle9i Database, Oracle8i Database, Oracle Enterprise Manager 10g Grid Control, Oracle Application Server 10g, Oracle Collaboration Suite 10g, Oracle9i Collaboration Suite, Oracle E-Business Suite Release 11i, Oracle E-Business Suite Release 11.0, Oracle Pharmaceutical Applications, JD Edwards EnterpriseOne and OneWorld Tools, Oracle PeopleSoft Enterprise Tools, Oracle Workflow and Oracle Developer Suite 6i.
Ron Ben-Natan, CTO of database security and compliance company Guardium, commented that Oracle’s patch update fixes multiple vulnerabilities in replication components of various Oracle database versions.
“Replication functions may be used by a sophisticated attacker; instead of having to repeatedly attack the database, an attacker may be able to compromise the database security modules just once, and then use replication functions to “continuously copy” private, confidential or sensitive data to another database.” Ben-Natan said.
The April patch haul, though still significant, represents a substantial decrease from the 82 flaws Oracle patched this past January.
Oracle issues critical patch updates on a quarterly basis.