Oracle Plugs 51 DB, Server Holes

Oracle has released its first critical patch update for 2007, with fixes for a total of 51 security vulnerabilities in a wide range of enterprise products.

The Redwood City, Calif., database server giant’s patch batch covers serious holes in Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite and Applications, Oracle Enterprise Manager and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne.

The most serious of the 51 flaws carry a CVSS (Common Vulnerability Scoring Standard) base score of 7.0.

“Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible,” the company said in its quarterly advisory.

The company said 28 of the 51 flaws affect its flagship Oracle Database. Among that batch of patches is a high-severity issue that can be “remotely exploitable without authentication.”

This means a successful attacker can launch an exploit over a network without the need for a user name and password.

There are nine patches for the Oracle HTTP Server, which is an optional product that is not installed by default with the Oracle Database. Eight of the nine can be exploited remotely without user credentials, the company warned.

The January 2007 patch update also provides fixes for a dozen new security flaws in the Oracle Application Server, eight of which may be remotely exploitable without authentication.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine’s eWEEK Security Watch blog.