Oracle Patch Set Plugs Widespread Server Holes

The patches aim to lock down exploits affecting a variety of the company's Database, Application Server, Collaboration Suite and Enterprise Manager products, with some of the flaws requiring network access but no valid user account.

Oracle issued a security alert and downloadable patch release Tuesday to plug multiple vulnerabilities scattered across its database server products. The patches are designed to lock down exploits affecting a variety of Oracles Database, Application Server, Collaboration Suite and Enterprise Manager products. According to the alert, the new patches eliminate security flaws in the Database Server and the Listener offerings. Officials at Redwood Shores, Calif.-based Oracle Corp. listed its Database Server exposure risk as "high" if unpatched, and they noted that exploiting some of the vulnerabilities requires network access but no valid user account. Click here to read more about the patches, which comprise Oracles first monthly patch rollup. Supported products affected by the patch include Oracle Database 10g Release 1, version 10.1.02; Oracle 9i Database Server Release 2, versions 9.2.0.4 and 9.2.05; Oracle 9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4; as well as Oracle 8i Database Server release 4, version 8.1.7.4. The new patches also eliminate exploits deemed to be of "high" exposure risk within the Portal and iSQL Plus components of Oracle Application Server. Specifically, the database giant said the patches support Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1; Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1; and Oracle 9i Application Server Release 1, version 1.0.2.2. Additionally, Oracle officials said network access without a valid user account can be used to exploit some of these vulnerabilities. Although the risk was deemed medium, with a valid operating-system user account on the Enterprise Manager host required in order for an attacker to exploit vulnerabilities, the patch rollup issued Tuesday also offered patches for existing security holes in Oracle Enterprise Manager Grid Control 10g, version 10.1.2; and Oracle Enterprise Manager Database Control 10g, version 10.1.0.2. To read more about 30-plus security flaws uncovered at the beginning of the year, click here. Oracle recommends that all of its Collaboration Suite customers apply the Oracle database patches to their information Storage database and the Oracle Application Server embedded database. Also, those customers should incorporate the application server patch toward the Oracle Application Server infrastructure installation and each Collaboration Suite middle-tier installation. But Collaboration Suite users who have already upgraded their Information Storage database to Oracle Database 10g Release 1, version 10.1.0.2, are asked to also apply the Enterprise Manager patch. Concerning E-Business Suite 11i customers, the Oracle security alert suggested that customers institute the available Oracle Database patches toward their existing Oracle Database Servers. In addition, E-Business Suite 11i end-users should apply the Oracle Application Server patch to their current Application Server releases. The patches are available on Oracle Technology Network and on Oracles support site, MetaLink, where registration is required. Check out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, reviews and analysis.

Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page