Oracle fixed 73 security vulnerabilities across its product portfolio, including six bugs for its database software and 18 bugs in the Oracle Sun product suite.
on April 19 released 25 security patches that addressed 73 vulnerabilities, of
which 36 have been classified as "critical," as part of its quarterly
Critical Patch Update
. The critical issues may be exploited remotely
without requiring a username or password.
contained updates to Oracle Database Server11g and 10g, Oracle Fusion
middleware, Oracle Enterprise Manager Grid Control, Oracle Siebel CRM, Oracle
Industry Applications, E-Business, Supply Chain Products, PeopleSoft, JD
Edwards, Open Office and the Oracle Sun product suite.
addressed six vulnerabilities in the database, two of which were considered
critical. The patches apply to server environments, not to client-only
deployments where Oracle Database Server was not installed. The Database
Server bug fixes affected Application Service Level Management, Database Vault,
Network Foundation, Oracle Help, Oracle Security Service, Oracle Warehouse
Builder and UIX.
of the bug fixes addressed an escalation of privilege vulnerability in the
database server's Database Vault component (CVE-2011-0793). This relatively
low-risk security flaw affected only the databases protected by Database Vault
and allowed users with certain privileges to change any other user's password.
The flaw could also result in the attacker changing the Database Vault owner's
database bug involved the Network Foundation component (CVE-2011-0806) on
Windows servers and was classified as critical because anyone with network
access to an Oracle Database Server could exploit the vulnerability. Attackers
can take advantage of the flaw to trigger a denial-of-service attack as it can
consume all CPU resources from the server.
fixed a cross-site scripting vulnerability in the Oracle Help component
(CVE-2011-0785) that affected multiple products, including Oracle Database
Server, Oracle Fusion Middleware and Oracle Enterprise Manager. The cross-site
scripting flaw allowed attackers to take over an administrator's Web session if
the victim clicked on or opened a malicious link.
issue in the Application Service Level Management component (CVE-2011-0787)
exposed both Oracle Enterprise Manager and Oracle Data Server to SQL injection
attacks. The vulnerability allows any user to execute SQL statements as the
SYSMAN database user with DBA-like privileges. Like the XSS flaw, this
vulnerability can be exploited only if the victim first clicks on a link or
views malicious content.
also patched the SSL negotiation in both Oracle Security Service and Oracle
WebLogic Server components (CVE-2009-3555). Affecting Oracle Fusion Middleware
and Oracle Database Server, this widespread vulnerability in how the TLS/SSL
protocol handles session handshakes allows attackers to launch
man-in-the-middle attacks. The attack can retrieve Web application data such as
cookies and other authentication information.
calculates a risk score based on the Common Vulnerability Scoring System to
assess the severity of the vulnerability. Oracle also provides an "impact
rating" to indicate the extent that the vulnerability would affect the customer
system, whether it's the entire system, several components or a single table.
patches for JRockit in Oracle Fusion and the Sun GlassFish Enterprise Server
and Sun Java System Application Server included in the Oracle Sun Products
suite all have a CVSS score of 10, making them most critical. The majority of
OpenOffice fixes had a CVSS score of 9.3 or higher, and there was a Solaris
patch that had a CVSS score of 7.8.