By Sumner Lemon
IDG News Service
October 17, 2007
Oracle released its latest critical patch update on Wednesday, fixing 51
vulnerabilities in a range of products, including its flagship database
Oracle's critical patch update fixes holes in Oracle Database Server,
Oracle Application Server, Oracle Enterprise Manager, Oracle E-Business
Suite, and Oracle PeopleSoft Enterprise. Twenty-seven of the patched
vulnerabilities are found in Oracle Database Server, including the most
serious vulnerability fixed.
"The most critical, rating 6.5 with the new CVSS 2.0 metric, is a
problem in the import utility," said Alexander Kornbrust, managing
director of Red Database Security, which found 13 of the 27
vulnerabilities in Oracle Database Server that are patched with this
CVSS 2.0, or Common Vulnerability Scoring System version 2.0, is a
rating system developed by the Forum of Incident Response and Security
Teams as a way of measuring the severity and urgency of IT
vulnerabilities. The vulnerabilities patched by Oracle's latest critical
update have CVSS 2.0 ratings from 4.0 to 6.5.
The vulnerability in the import utility could allow an attacker to run
code on a database as the user SYS, Kornbrust said. SYS is the most
powerful user in an Oracle database, and is able to do and see more than
a typical database administrator.
Kornbrust said database administrators can reduce their exposure to
these and other vulnerabilities by hardening their databases and
installing the minimum amount of features.
The next Oracle critical update is set for release in January.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com