Busy Patch Tuesday for Oracle Admins
As announced, Oracle patched a total of 51 flaws in the various products on its quarterly Patch Tuesday. A total of 27 vulnerabilities in the database were fixed. Oracle also corrected a total of 11 flaws in the Workspace Manager, 3 in Oracle Text, and 3 in Oracle Spatial. Additional bugs were removed from Advanced Queuing, XMLDB, OID, and ASO.
Alexander Kornbrust, the German database specialist who discovered and reported some of the flaws, says that the import flaw is the most significant. It has a CVSS base score of 6.5 (CVSS 2.0) and affects all versions of Oracle. The bug allows arbitrary commands to be executed as the SYS user. In addition, Kornbrust says some of the other security holes, such as the one in Database Vault (DB21) and Enterprise Manager (EM01), can also be exploited remotely without user authentication. Unfortunately, however, details have not been provided for all of these. The database specialist says it will be publishing additional analyses in the next few days.
- Oracle Critical Patch Update - October 2007 summary from Oracle