Oracle Ships Out-of-Cycle Security Update

The database server maker releases an update to the Oracle Diagnostics troubleshooting feature to fix several high-risk vulnerabilities.

Database server giant Oracle has released an out-of-band security update with fixes for several high-risk vulnerabilities affecting enterprise customers.

The patches were included in an upgrade to Oracle Diagnostics, a troubleshooting feature that ships with the Oracle E-Business Suite 11i and comes more than six weeks ahead of the next scheduled quarterly updates from the vendor.

According to an advisory (PDF) from application security consulting group Integrigy, the patch covers a number of high-risk security vulnerabilities in the Oracle Diagnostics Web pages and Java classes.

"The most significant issue with the Oracle Diagnostics is that some of the diagnostics can be executed without any authentication and it is possible to configure the diagnostics to be unrestricted," Integrigy said in the advisory.

/zimages/6/28571.gifClick here to read about a gaping flaw in the Oracle PL/SQL Gateway.

Several permission issues and SQL injection vulnerabilities are fixed by the patch, according to Integrigy.

Oracle Diagnostics lets database administrators execute technical and functional tests on the configuration and set-up of an application.

Oracle officials said the patches included in the out-of-cycle update will be included in the next quarterly Critical Patch Update, scheduled for April 18.

According to Integrigys alert, this is the first time that Oracle has notified customers of security fixes in out-of-cycle product upgrades. "We believe Oracle is encouraging customers to upgrade to the latest support diagnostics as a way to improve technical support and by highlighting a security risk will accelerate the adoption of the diagnostics patch," the company added.

The Oracle Diagnostics patches have no impact on customers using the Oracle Database, Oracle Application Server and Oracle Collaboration Suite.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.