Oracle Squashes 65 Security Bugs

The database vendor's July critical patch update fixes multiple SQL injection flaws in a wide range of enterprise-facing products.

Database and server giant Oracle on July 17 shipped a quarterly critical patch update with fixes for a whopping 65 security vulnerabilities.

The July CPU addresses flaws in several products and components, including the widely used Oracle Database, Oracle Application Server, Oracle Collaboration Suite and Oracle E-Business Suite.

A total of 23 patches apply to the Redwood Shores, Calif., vendors flagship Oracle Database, most addressing flaws that could lead to SQL injection attacks.

For customers using the Oracle E-Business Suite and Applications, the company shipped fixes for 20 different vulnerabilities.

Patches for easy-to-exploit vulnerabilities in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne products were also included.

/zimages/1/28571.gifOracle promises content management "for the masses." Click here to read more.

Ten bugs in the Oracle Application Server were also fixed, said Alexander Kornbrust, CEO of Red Database Security, based in Neunkirchen, Germany.

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Kornbrust, who is credited with reporting several flaws to Oracle, noted that there are no patches in the CPU for Oracle XE (Express Edition).

"Even if its a free product, Oracle should deliver support and mention how and what to patch," Kornbrust said in an interview with eWEEK.

After reviewing the July CPU from Oracle, Kornbrust said he was happy to see that the company had fixed the well-known View bug that could allow any user to insert, update or delete data via a view.

Exploit code for this flaw was accidentally posted to Oracles MetaLink customer support site by Oracle in April 2006.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.