Database software giant Oracle
has issued its
first monthly security bulletin with patches for multiple “high risk”
Facing a barrage of criticism from security experts for long delays
in releasing fixes for security product flaws, the company issued an advisory (PDF file)
to warn of potentially serious bugs in the Oracle Database
Server, the Oracle Application Server, the Oracle Enterprise Manager and
the Oracle Collaboration Suite.
Specific details of the vulnerabilities were not released, but Oracle
said malicious attackers could exploit the holes to hijack services,
manipulate data, expose sensitive system information and perform
Denial of Service attacks
“The unpatched exposure risk is high; exploiting some of these
vulnerabilities requires network access, but no valid user account,”
Oracle said. “There are no workarounds that fully address the security
vulnerabilities … Oracle strongly recommends that customers apply the
available patches without delay.”
The company posted a patch
availability matrix for customers online.
Security alert clearinghouse Secunia rates the flaws as “highly
critical” and released a
breakdown of affected Oracle product versions.
Research firm Integrigy, which helped Oracle identify some of the
vulnerabilities, also issued a separate alert
with a warning that they “can be exploited in all Oracle Applications
“The vulnerabilities include buffer overflows, SQL injection issues,
and denial of service problems — many of which are considered critical
since an attacker can effectively gain control over an application or
database server without a valid login,” Integrigy said.
“All Oracle Applications customers should consider these
vulnerabilities extremely high risk and apply the Oracle patches at the
earliest possible opportunity. Customers with Internet facing
application servers should consider applying these patches as soon as
possible,” the company added.
The month-end release of a mega advisory follows a decision by Oracle
to adopt a
monthly patch cycle. The new policy is similar to Microsoft’s
monthly security update, which is scheduled for the second Tuesday
of every month.