Oracle Fixes Highly Exploitable Flaws

While Oracle’s latest quarterly critical patch may fix fewer flaws than previous quarterly patches, today’s release is notable for the number of flaws that can be exploited without credentials, according to Amichai Shulman, CTO of Imperva and a former member of the security center of the Israeli Defense Forces (IDF).

Two vulnerabilities rated a 10 on the CVSS scale, on which 10 is the highest possible risk, because they allowed an attack on the system without authentication. Being able to exploit a flaw without valid database credentials make these flaws extremely important. Those critical vulnerabilities are in the BEA JRockit application and in Oracle Secure Backup.

BEA JRockit is Oracle’s Java technology, and the critical vulnerabilities affect the latest versions of the software, R27.6.3 and earlier (JDK/JRE 6, 5, 1.4.2). A user can exploit them to do damage without having the necessary credentials.

Oracle also issued patches for the following other BEA products: Oracle Complex Event Processing and Oracle WebLogic Server.

Oracle also issued two fixes for flaws in Oracle Secure Backup, one of which is a critical flaw rated a 10 on the CVSS. A user can exploit it to do damage without having the necessary credentials. The other is rated 9 because although it also allows a complete takeover of a PC, it requires valid credentials.

Oracle’s most popular software, Oracle Database, received 10 fixes today. Some of the patches applied to the new 11g product. Oracle said that three of those fixes rate and can be exploited without a user name and password and one rates a 9 on the CVSS on Windows (but a 6.5 if Oracle is running on Unix or Linux). This flaw enables the complete takedown of a database on Windows and partial takedown on Unix or Linux.

Shulman said that the flaw was likely related to networking components, such as the Oracle Listener component, rather than to the core of the database itself. In April, Cisco released a proof of concept attack on the Oracle Database Listener designed to work on Windows because it attacked a specific DLL file. The flaw that Cisco demonstrated has been fixed.

Lower rated fixes still pose risks

The two fixes issued to Oracle Application Server were rated a 5 out of 10, but both could be exploited without user credentials. Of eight new fixes to Oracle Applications Suite, five could be exploited without user credentials, but none were rated higher than 6. Two new fixes for Oracle Enterprise Manager Suite were not rated higher than 5.5 and were not exploitable without credentials.

Of three new patches for the PeopleSoft and JDEdwards Suite, one fixed a flaw that could be exploited without user credentials, but none was rated higher than 5.5.

One fix was issued for the Oracle Siebel Suite and although it could be exploited without user credentials, it was rated only 3.

But Shulman said that the low CVSS scores may understate the risk. “Using very simple tools like a text editor and a Telnet program , available on every PC, I can bring down a production database server,” he said. “Oracle follows the CVSS scoring standard and these flaws score relatively low but in reality that’s a pretty big security risk,” he said.

News Around the Web