Oracle on April 19 released 25 security patches that addressed 73 vulnerabilities, of which 36 have been classified as “critical,” as part of its quarterly Critical Patch Update. The critical issues may be exploited remotely without requiring a username or password.
April’s CPU contained updates to Oracle Database Server11g and 10g, Oracle Fusion middleware, Oracle Enterprise Manager Grid Control, Oracle Siebel CRM, Oracle Industry Applications, E-Business, Supply Chain Products, PeopleSoft, JD Edwards, Open Office and the Oracle Sun product suite.
Oracle addressed six vulnerabilities in the database, two of which were considered critical. The patches apply to server environments, not to client-only deployments where Oracle Database Server was not installed. The Database Server bug fixes affected Application Service Level Management, Database Vault, Network Foundation, Oracle Help, Oracle Security Service, Oracle Warehouse Builder and UIX.
One of the bug fixes addressed an escalation of privilege vulnerability in the database server’s Database Vault component (CVE-2011-0793). This relatively low-risk security flaw affected only the databases protected by Database Vault and allowed users with certain privileges to change any other user’s password. The flaw could also result in the attacker changing the Database Vault owner’s password.
Another database bug involved the Network Foundation component (CVE-2011-0806) on Windows servers and was classified as critical because anyone with network access to an Oracle Database Server could exploit the vulnerability. Attackers can take advantage of the flaw to trigger a denial-of-service attack as it can consume all CPU resources from the server.
Oracle fixed a cross-site scripting vulnerability in the Oracle Help component (CVE-2011-0785) that affected multiple products, including Oracle Database Server, Oracle Fusion Middleware and Oracle Enterprise Manager. The cross-site scripting flaw allowed attackers to take over an administrator’s Web session if the victim clicked on or opened a malicious link.
An issue in the Application Service Level Management component (CVE-2011-0787) exposed both Oracle Enterprise Manager and Oracle Data Server to SQL injection attacks. The vulnerability allows any user to execute SQL statements as the SYSMAN database user with DBA-like privileges. Like the XSS flaw, this vulnerability can be exploited only if the victim first clicks on a link or views malicious content.
Oracle also patched the SSL negotiation in both Oracle Security Service and Oracle WebLogic Server components (CVE-2009-3555). Affecting Oracle Fusion Middleware and Oracle Database Server, this widespread vulnerability in how the TLS/SSL protocol handles session handshakes allows attackers to launch man-in-the-middle attacks. The attack can retrieve Web application data such as cookies and other authentication information.
Oracle calculates a risk score based on the Common Vulnerability Scoring System to assess the severity of the vulnerability. Oracle also provides an “impact rating” to indicate the extent that the vulnerability would affect the customer system, whether it’s the entire system, several components or a single table.
The patches for JRockit in Oracle Fusion and the Sun GlassFish Enterprise Server and Sun Java System Application Server included in the Oracle Sun Products suite all have a CVSS score of 10, making them most critical. The majority of OpenOffice fixes had a CVSS score of 9.3 or higher, and there was a Solaris patch that had a CVSS score of 7.8.