Oracle Update Plugs Security Holes

Critical update delivers 45 patches for Oracle customers this time around.

Oracle issued 45 security fixes for its customers July 17 as part of its quarterly Critical Patch Update.

The 45 patches plug security holes in Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite and Applications, and Oracle PeopleSoft Enterprise products.

The most serious of the flaws are two vulnerabilities affecting Oracle PeopleSoft Enterprise PeopleTools, which received a Common Vulnerability Scoring System rating of 4.8 out of 10. The flaws can be exploited remotely by an attacker but require user authentication.

The company initially planned 46 patches for this weeks release. An Oracle spokesperson said an issue came out in the late stages of the companys testing process that the development team could not resolve before the release of the update.

"We will attempt to include the fix in the October 2007 CPU," the spokesperson said.

Nineteen of the patches are for database products, including two for flaws that can be exploited remotely without a password or user name for authentication. Four new security fixes are for flaws in Oracle Application Server, three of which can be remotely exploitable without authentication.

In addition, there is one new Oracle Collaboration Suite-specific fix, 14 security fixes for the Oracle E-Business Suite, three for Oracle PeopleSoft Enterprise PeopleTools, two for PeopleSoft Enterprise Customer Relationship Management and two security fixes for PeopleSoft Enterprise Human Capital Management.

Among the patches is a fix for a cross-site scripting vulnerability reported by researchers at Imperva that affects the Oracle E-Business Suite and could be exploited remotely to steal sensitive data and execute phishing attacks.

Imperva SecureSphere Database Security Gateway and Web Application Firewall appliances automatically protect Oracle products against this flaw until it is patched, company officials said.

"They were very quick [with the patch]," said Imperva Chief Technology Officer Amichai Shulman, adding that Imperva reported the flaw no more than three months ago.

/zimages/1/28571.gifClick here to read about Oracles Audit Vault, which is designed to streamline the database auditing process.

The July 17 fixes are part of the companys Critical Patch Update releases, issued four times year. The last batch, in April, featured 36 security fixes.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.