Oracle Patch Set Plugs Widespread Server Holes

By Brian Fonseca  |  Posted 2004-08-31 Email Print this article Print


Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce

The patches aim to lock down exploits affecting a variety of the company's Database, Application Server, Collaboration Suite and Enterprise Manager products, with some of the flaws requiring network access but no valid user account.

Oracle issued a security alert and downloadable patch release Tuesday to plug multiple vulnerabilities scattered across its database server products. The patches are designed to lock down exploits affecting a variety of Oracle's Database, Application Server, Collaboration Suite and Enterprise Manager products.

According to the alert, the new patches eliminate security flaws in the Database Server and the Listener offerings. Officials at Redwood Shores, Calif.-based Oracle Corp. listed its Database Server exposure risk as "high" if unpatched, and they noted that exploiting some of the vulnerabilities requires network access but no valid user account.

Click here to read more about the patches, which comprise Oracle's first monthly patch rollup.

Supported products affected by the patch include Oracle Database 10g Release 1, version 10.1.02; Oracle 9i Database Server Release 2, versions and 9.2.05; Oracle 9i Database Server Release 1, versions, and 9.0.4; as well as Oracle 8i Database Server release 4, version

The new patches also eliminate exploits deemed to be of "high" exposure risk within the Portal and iSQL Plus components of Oracle Application Server.

Specifically, the database giant said the patches support Oracle Application Server 10g (9.0.4), versions and; Oracle9i Application Server Release 2, versions and; and Oracle 9i Application Server Release 1, version Additionally, Oracle officials said network access without a valid user account can be used to exploit some of these vulnerabilities.

Although the risk was deemed medium, with a valid operating-system user account on the Enterprise Manager host required in order for an attacker to exploit vulnerabilities, the patch rollup issued Tuesday also offered patches for existing security holes in Oracle Enterprise Manager Grid Control 10g, version 10.1.2; and Oracle Enterprise Manager Database Control 10g, version

To read more about 30-plus security flaws uncovered at the beginning of the year, click here.

Oracle recommends that all of its Collaboration Suite customers apply the Oracle database patches to their information Storage database and the Oracle Application Server embedded database. Also, those customers should incorporate the application server patch toward the Oracle Application Server infrastructure installation and each Collaboration Suite middle-tier installation.

But Collaboration Suite users who have already upgraded their Information Storage database to Oracle Database 10g Release 1, version, are asked to also apply the Enterprise Manager patch.

Concerning E-Business Suite 11i customers, the Oracle security alert suggested that customers institute the available Oracle Database patches toward their existing Oracle Database Servers. In addition, E-Business Suite 11i end-users should apply the Oracle Application Server patch to their current Application Server releases.

The patches are available on Oracle Technology Network and on Oracle's support site, MetaLink, where registration is required.

Check out's Database Center at for the latest database news, reviews and analysis.

Be sure to add our database news feed to your RSS newsreader or My Yahoo page

Brian Fonseca is a senior writer at eWEEK who covers database, data management and storage management software, as well as storage hardware. He works out of eWEEK's Woburn, Mass., office. Prior to joining eWEEK, Brian spent four years at InfoWorld as the publication's security reporter. He also covered services, and systems management. Before becoming an IT journalist, Brian worked as a beat reporter for The Herald News in Fall River, Mass., and cut his teeth in the news business as a sports and news producer for Channel 12-WPRI/Fox 64-WNAC in Providence, RI. Brian holds a B.A. in Communications from the University of Massachusetts Amherst.


Submit a Comment

Loading Comments...

Thanks for your registration, follow us on our social networks to keep up-to-date