Oracle Patch Fixes 23 Critical Vulnerabilities

Oracle Corp. late Tuesday issued a “critical patch update” to address 23 security holes in its database and application server products.

The patches were released as part of Oracles first quarterly patching cycle and fix a series of undisclosed flaws ranging from manipulation of data, exposure of sensitive information, privilege escalation and denial-of-service attacks.

The vulnerabilities affect users of the Oracle Database 10g Release 1, Oracle9i Database Server, Oracle Application Server, Oracle9i Application Server, Oracle Collaboration Suite and Oracle E-Business Suite and Applications Release.

In an advisory (PDF file), Oracle said the first quarter patch update is a cumulative update that also contains nonsecurity fixes that are required (because of interdependencies) on the security fixes.

Secunia, a private security research outfit, rates the flaws as “moderately critical” and warned that exploitation could lead to PL/SQL injection attacks.

Oracles alert did not provide specific information on the attack scenarios and Next Generation Security Software Ltd., one of the private firms that reported the vulnerabilities, said it would withhold details about the flaws until April 18.

“This three-month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public,” NGS Software officials said.

Secunias advisory contains minor details of the bugs, which include a boundary error in the Networking component that can be exploited by malicious database users to crash the database via a specially crafted connect string.

Another error in the Spatial component can potentially be exploited to disclose information, manipulate data, or cause a DoS condition.

The next batch of patches from Oracle is scheduled for April 12.

Oracle had originally announced it would release patches on a monthly schedule, but the company shifted away from that plan in November in favor of the quarterly cycle.

/zimages/3/28571.gifClick here to read more about the switch to a quarterly schedule.

In the past, Oracle has been criticized for its lackadaisical approach to addressing critical security flaws. At the Black Hat security conference in Las Vegas last year, NGS Software pushed the envelope by releasing details on more than two dozen security holes in Oracle products that had not been fixed.

At the time, NGS Software said Oracle was aware of the vulnerabilities—some of them critical—for several months.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.