Oracle Releases Critical Patch Update with 41 Fixes

Oracle delivered 41 security fixes to its customers in its first CPU (Critical Patch Update) of 2009.

Among those fixes are patches for serious flaws affecting Oracle WebLogic Server and Windows versions of Oracle Secure Backup. According to Oracle, a vulnerability in the WebLogic Server plug-ins for Apache, Sun Microsystems and IIS (Internet Information Services) Web servers received a CVSS (Common Vulnerability Scoring System) rating of 10 and can be exploited remotely without authentication.

There are also three other vulnerabilities affecting WebLogic Server and an additional vulnerability in WebLogic Portal. The highest CVSS rating among them is 6.8.

Four of the nine vulnerabilities affecting Oracle Secure Backup received a CVSS score of 10. All nine of these flaws, however, can be exploited remotely without authentication.

Click here to read about Microsoft's first Patch Tuesday of 2009. 

Amichai Shulman, CTO of Imperva, said the lack of technical details provided by Oracle—particularly for the vulnerabilities rated 10—makes it difficult for customers to assess their exposure.

"What we know is the vulnerabilities rated 10 for Secure Backup are important because they allow an attacker to take control of the databases being backed up," Shulman said. "Also, the WebLogic vulnerability rated 10 allows an attacker to take over a Web application without authentication. These are both serious flaws."

There are a total of 10 vulnerabilities for the Oracle Database, and one for the Oracle TimesTen Data Server. None of the 10 database vulnerabilities can be exploited without authentication, but the TimesTen flaw can.

Oracle is supplying additional fixes for four flaws affecting Oracle Application Server, one for the Oracle Collaboration Suite, four for the Application suite and one for Oracle Enterprise Manager. Another six security fixes are for the PeopleSoft and JD Edwards Suite.

The next CPU is scheduled to be released April 14.