Oracle Patches Two Dozen Flaws
First Oracle critical patch update of the year shows that databases are still very much at risk in 2010, though more so on Windows than on Linux.
Oracle is now out with its first quarterly critical patch update (CPU) of 2010, fixing 24 flaws spread across Oracle's product portfolio. Affected products include Oracle's namesake database server as well as the Oracle Application Server, E-Business Suite, Secure Backup, PeopleSoft Enterprise and WebLogic Servers.
Of particular note is the severity of the flaws in the January CPU -- and the potential impact on affected systems.
"Thirteen of the 24 new vulnerabilities are remotely exploitable without authentication," Eric Maurice, manager for security in Oracle's global technology business unit, wrote in a blog post. "This means that an attacker could attempt to exploit these vulnerabilities, should the targeted systems be exposed on the network (as opposed to being hidden behind a firewall for example) remotely without requiring a username or password."
Drilling down into the specific updates, Maurice noted that nine of the 24 security vulnerabilities affect Oracle Database Server. Of those, there is only one flaw that remotely exploitable without authentication. That flaw also carries Oracle's highest severity rating, with a score of 10.0 using the CVSS (Common Vulnerability Scoring System) system.
Oracle has been using CVSS since October 2006 to provide a score for the relative impact of a particular vulnerability.
A CVSS 10.0 score means that if the flaw is exploited, an attacker can take full control of the vulnerable system. There is a catch with this highly critical database flaw, though: Microsoft Windows users are more at risk than Linux or Unix users. Maurice noted that for Linux and Unix deployments, the CVSS score for the same vulnerability is only 7.5, since a full compromise all the way to the operating system level isn't possible on those systems.
On a year-over-year basis, the January 2010 CPU patch haul actually represents a decline from the 41 flaws Oracle reported in January 2009.
Still, at least one database security professional still sees cause for concern.
"We again see a database vulnerability scoring 10 out of 10 in severity, which would allow someone to completely takeover the database without the need of valid credentials," Amichai Shulman, CTO of database security vendor Imperva, said in an e-mail to InternetNews.com. "In addition, there are several other database vulnerabilities that only require database connection privileges in order to exploit. So overall, it seems that the severity of vulnerabilities is high."
Shulman added that the January CPU also includes two other vulnerabilities that had a CVSS score of 10. One of them was for the Secure Backup product and the other one for the JRockit Java Virtual Machine product that Oracle acquired with its acquisition of BEA in 2008.
"The vulnerabilities in the Secure Backup product could allow confidential data to be exposed or it could be possible to even tamper with stored data," Shulman said.
Oracle's next quarterly critical patch update is currently scheduled to be released on April 13.
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the internet.com network.