The patches aim to lock down exploits affecting a variety of the company's Database, Application Server, Collaboration Suite and Enterprise Manager products, with some of the flaws requiring network access but no valid user account.
Oracle issued a security alert and downloadable patch release Tuesday to plug multiple vulnerabilities scattered across its database server products. The patches are designed to lock down exploits affecting a variety of Oracles Database, Application Server, Collaboration Suite and Enterprise Manager products.
According to the alert, the new patches eliminate security flaws in the Database Server and the Listener offerings. Officials at Redwood Shores, Calif.-based Oracle Corp. listed its Database Server exposure risk as "high" if unpatched, and they noted that exploiting some of the vulnerabilities requires network access but no valid user account.
Click here to read more about the patches, which comprise Oracles first monthly patch rollup.
Supported products affected by the patch include Oracle Database 10g Release 1, version 10.1.02; Oracle 9i Database Server Release 2, versions 22.214.171.124 and 9.2.05; Oracle 9i Database Server Release 1, versions 126.96.36.199, 188.8.131.52 and 9.0.4; as well as Oracle 8i Database Server release 4, version 184.108.40.206.
The new patches also eliminate exploits deemed to be of "high" exposure risk within the Portal and iSQL Plus components of Oracle Application Server.
Specifically, the database giant said the patches support Oracle Application Server 10g (9.0.4), versions 220.127.116.11 and 18.104.22.168; Oracle9i Application Server Release 2, versions 22.214.171.124 and 126.96.36.199; and Oracle 9i Application Server Release 1, version 188.8.131.52. Additionally, Oracle officials said network access without a valid user account can be used to exploit some of these vulnerabilities.
Although the risk was deemed medium, with a valid operating-system user account on the Enterprise Manager host required in order for an attacker to exploit vulnerabilities, the patch rollup issued Tuesday also offered patches for existing security holes in Oracle Enterprise Manager Grid Control 10g, version 10.1.2; and Oracle Enterprise Manager Database Control 10g, version 10.1.0.2.
To read more about 30-plus security flaws uncovered at the beginning of the year, click here.
Oracle recommends that all of its Collaboration Suite customers apply the Oracle database patches to their information Storage database and the Oracle Application Server embedded database. Also, those customers should incorporate the application server patch toward the Oracle Application Server infrastructure installation and each Collaboration Suite middle-tier installation.
But Collaboration Suite users who have already upgraded their Information Storage database to Oracle Database 10g Release 1, version 10.1.0.2, are asked to also apply the Enterprise Manager patch.
Concerning E-Business Suite 11i customers, the Oracle security alert suggested that customers institute the available Oracle Database patches toward their existing Oracle Database Servers. In addition, E-Business Suite 11i end-users should apply the Oracle Application Server patch to their current Application Server releases.
The patches are available on Oracle Technology Network and on Oracles support site, MetaLink, where registration is required.
Check out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, reviews and analysis.
Brian Fonseca is a senior writer at eWEEK who covers database, data management and storage management software, as well as storage hardware. He works out of eWEEK's Woburn, Mass., office. Prior to joining eWEEK, Brian spent four years at InfoWorld as the publication's security reporter. He also covered services, and systems management. Before becoming an IT journalist, Brian worked as a beat reporter for The Herald News in Fall River, Mass., and cut his teeth in the news business as a sports and news producer for Channel 12-WPRI/Fox 64-WNAC in Providence, RI. Brian holds a B.A. in Communications from the University of Massachusetts Amherst.