According to the alert, the new patches eliminate security flaws in the Database Server and the Listener offerings. Officials at Redwood Shores, Calif.-based Oracle Corp. listed its Database Server exposure risk as "high" if unpatched, and they noted that exploiting some of the vulnerabilities requires network access but no valid user account.
Supported products affected by the patch include Oracle Database 10g Release 1, version 10.1.02; Oracle 9i Database Server Release 2, versions 18.104.22.168 and 9.2.05; Oracle 9i Database Server Release 1, versions 22.214.171.124, 126.96.36.199 and 9.0.4; as well as Oracle 8i Database Server release 4, version 188.8.131.52.
The new patches also eliminate exploits deemed to be of "high" exposure risk within the Portal and iSQL Plus components of Oracle Application Server.
Specifically, the database giant said the patches support Oracle Application Server 10g (9.0.4), versions 184.108.40.206 and 220.127.116.11; Oracle9i Application Server Release 2, versions 18.104.22.168 and 22.214.171.124; and Oracle 9i Application Server Release 1, version 126.96.36.199. Additionally, Oracle officials said network access without a valid user account can be used to exploit some of these vulnerabilities.
Although the risk was deemed medium, with a valid operating-system user account on the Enterprise Manager host required in order for an attacker to exploit vulnerabilities, the patch rollup issued Tuesday also offered patches for existing security holes in Oracle Enterprise Manager Grid Control 10g, version 10.1.2; and Oracle Enterprise Manager Database Control 10g, version 10.1.0.2.
Oracle recommends that all of its Collaboration Suite customers apply the Oracle database patches to their information Storage database and the Oracle Application Server embedded database. Also, those customers should incorporate the application server patch toward the Oracle Application Server infrastructure installation and each Collaboration Suite middle-tier installation.
But Collaboration Suite users who have already upgraded their Information Storage database to Oracle Database 10g Release 1, version 10.1.0.2, are asked to also apply the Enterprise Manager patch.
Concerning E-Business Suite 11i customers, the Oracle security alert suggested that customers institute the available Oracle Database patches toward their existing Oracle Database Servers. In addition, E-Business Suite 11i end-users should apply the Oracle Application Server patch to their current Application Server releases.
The patches are available on Oracle Technology Network and on Oracles support site, MetaLink, where registration is required.