Oracle corrects recent vulnerabilities
Oracle 10g, Oracle WebLogic and Secure Backup all fixed in latest critical patch update
- By Joab Jackson
- Jan 14, 2009
Oracle has released its latest collection of critical patches, remedying a number of recently discovered flaws in its database, application server and backup software products, among others.
Users are advised to apply patches and/or undertake the instructions for circumnavigating these issues, both with these products and other Oracle applications that rely on these applications.
Many of the problems were found by outside security analysis firms.
The security research firm iDefense has found that Oracle Database 10g Release 2 version 10.2.0.3.0 suffers from a vulnerability that allows an authenticated user to execute privileged instructions and rewrite any accessible files. Both the Linux and Microsoft Windows platforms are susceptible to this attack. Older versions of the database may be affected, though Database 11g does not appear to be vulnerable. The Common Vulnerabilities and Exposures project has assigned the designation CVE-2008-3997 to this issue.
iDefense also found that Oracle's Secure Backup tape backup management software suffers from a couple of holes in the PHP log-in routine that could allow an attacker to pass shell commands to the server running the software. Both the Linux and Microsoft Windows platforms are susceptible to this attack, which affects version 10.2.0.2 and possibly older versions as well.
Another security research firm, Assurent, has found a way to besiege an Oracle WebLogic Server with a denial-of-service attack. A remote user can can send a maliciously crafted HTTP request to the Apache HTTP server, which acts as a Web front-end in the WebLogic package. This critical problem has been awarded designation CVE-2008-5457.
In this latest group of patches, Oracle also has fixes for Oracle Database 9i, the Oracle TimesTen In-Memory database, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, Oracle Enterprise Manager Grid Control, PeopleSoft Enterprise Human Resource Management System, and JD Edwards Tools.
Oracle releases its critical patches in groups, four times a year, in January, April, July and October.
Joab Jackson is the senior technology editor for Government Computer News.