Oracle Plugs 82 Database, Server Holes

Oracle's quarterly critical patch update corrects flaws that could cause data manipulation, system exposure and SQL injection attacks.

Oracle Corp. has released a "moderately critical" batch of patches to plug a total of 82 security vulnerabilities in several database and server products.

As part of its quarterly critical patch update release cycle, the Redwood City, Calif.-based vendor shipped fixes to ptach holes that could put customers at risk of data manipulation, system exposure and SQL injection attacks.

The bulk of the patches address flaws in the flagship Oracle Database, Oracle Collaboration Suite and the Oracle Application Server. A large number of vulnerabilities were also fixed in the Oracle Developer Suite, Oracle Enterprise Manage, JD Edwards EnterpriseOne and PeopleSoft Enterprise Portal.

/zimages/1/28571.gifeWEEK gets a tour of Oracles security practices. Click here to read more.

Because of the way Oracle releases information about the fixes, the impact of some of the vulnerabilities remains unknown. Security alerts aggregator Secunia Inc. slapped a "moderately critical" rating on the update and warned that some of the flaws can be exploited to gain knowledge of certain information, overwrite arbitrary files and conduct SQL injection attacks.

Alexander Kornbrust, CEO of Red-Database-Security GmbH, has published a separate advisory with details on specific fixes and also disclosed that the update delivers a password-checking tool to check for the existence of some password hashes.

Secunias alert includes a list of affected products and components and the attack vectors that have been patched.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.