Oracle Patch Set Plugs Widespread Server HolesBy Brian Fonseca | Print
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
The patches aim to lock down exploits affecting a variety of the company's Database, Application Server, Collaboration Suite and Enterprise Manager products, with some of the flaws requiring network access but no valid user account.Oracle issued a security alert and downloadable patch release Tuesday to plug multiple vulnerabilities scattered across its database server products. The patches are designed to lock down exploits affecting a variety of Oracle's Database, Application Server, Collaboration Suite and Enterprise Manager products.
According to the alert, the new patches eliminate security flaws in the Database Server and the Listener offerings. Officials at Redwood Shores, Calif.-based Oracle Corp. listed its Database Server exposure risk as "high" if unpatched, and they noted that exploiting some of the vulnerabilities requires network access but no valid user account.
Specifically, the database giant said the patches support Oracle Application Server 10g (9.0.4), versions 184.108.40.206 and 220.127.116.11; Oracle9i Application Server Release 2, versions 18.104.22.168 and 22.214.171.124; and Oracle 9i Application Server Release 1, version 126.96.36.199. Additionally, Oracle officials said network access without a valid user account can be used to exploit some of these vulnerabilities.
Although the risk was deemed medium, with a valid operating-system user account on the Enterprise Manager host required in order for an attacker to exploit vulnerabilities, the patch rollup issued Tuesday also offered patches for existing security holes in Oracle Enterprise Manager Grid Control 10g, version 10.1.2; and Oracle Enterprise Manager Database Control 10g, version 10.1.0.2.
Oracle recommends that all of its Collaboration Suite customers apply the Oracle database patches to their information Storage database and the Oracle Application Server embedded database. Also, those customers should incorporate the application server patch toward the Oracle Application Server infrastructure installation and each Collaboration Suite middle-tier installation.
But Collaboration Suite users who have already upgraded their Information Storage database to Oracle Database 10g Release 1, version 10.1.0.2, are asked to also apply the Enterprise Manager patch.
Concerning E-Business Suite 11i customers, the Oracle security alert suggested that customers institute the available Oracle Database patches toward their existing Oracle Database Servers. In addition, E-Business Suite 11i end-users should apply the Oracle Application Server patch to their current Application Server releases.
The patches are available on Oracle Technology Network and on Oracle's support site, MetaLink, where registration is required.