Oracle released 41 security fixes for its flagship database and several other products Tuesday, including 15 patches for vulnerabilities that can be exploited remotely without a username or password.
The presence of vulnerabilities that can be exploited without authentication "means that your database is a sitting duck unless you deploy this patch," says Slavik Markovich, CTO of database security vendor Sentrigo.
Oracle database products account for 17 security patches, two of which could be exploited remotely over a network without authentication. The rest of the fixes are spread across Oracle's Application Server, Collaboration Suite and E-Business Suite products, as well as Oracle's PeopleSoft and Siebel software.
SQL injections might be among the attacks customers risk if they don't install the patches, Markovich says. The Advanced Queuing technology in Oracle's database has been linked to SQL injections in which malicious users gain elevated privileges and steal data such as credit card information, he says. Two vulnerabilities related to the Advanced Queuing database component were listed in Tuesday's quarterly critical patch update.
The 41 fixes exceed the 26 security bugs in the last patch update released in January, but fall short of the 51 patches released by Oracle last October. Markovich doesn't see any signs that vulnerabilities will become fewer over time.
"It seems the database contains so many modules and so many lines of code I really expect it to keep up that pace," he says.
Oracle database customers can avoid some problems from the start by not installing modules they aren't going to use, Markovich says. Users get into trouble when they install every database component even when it's not necessary.
"By having [unnecessary modules] in the database, you actually increase your attack surface," Markovich says.
Among the Oracle database vulnerabilities, the two that can be exploited remotely without a username and password affect the database authentication system and Oracle Application Express, a Web application development tool for the database.
Eleven security fixes were announced for the Oracle E-Business Suite and related applications, including seven that can be exploited without authorization. Three security fixes affected the Oracle Application Server, all of which can be exploited remotely without authorization.
Six fixes, including three for problems that can be exploited without authentication, affect the Oracle Siebel Enterprise Suite's SimBuilder, a content development tool for building online training programs. Three fixes affect PeopleSoft tools and one affects Oracle Enterprise Manager.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. CRM your salespeople will love
Everything you need to know about email and web security (but were afraid to ask)
Best Practice in Building an Integrated Information Management Strategy
Discover the advantages of an open architecture multi-vendor network solution
Data grids and service-oriented architecture
Making the Business Case for IT Consolidation
Refresh your AUP: Top tips to ensure your acceptable use policy is fit for purpose
The state of Middleware
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Fortinet November Threatscape Report Shows Calm Before Holiday Storm 2008-12-05 16:00:00+11
Epicor® Cited as an Order Management Solutions Leader by Independent Research Firm 2008-12-05 15:52:00+11
F-Secure: Growth In Internet Crime Calls For Growth In Punishment 2008-12-05 13:00:00+11
International researchers gather in Sydney to preview the clever web 2008-12-05 09:48:00+11
Borderless corporate networks to shift focus to secure content management in Australia in 2009 2008-12-04 16:06:00+11
Radicati Market Quadrant 2008 on Corporate Web Security
An Analysis of the Market for Corporate Web Security Solutions, revealing Top Players, Mature Players, Specialists and Trail Blazers. Read on to discover who makes the grade.
Buying Guides
Buying Guides
