Numerous security updates from Oracle
Oracle has released its Critical Patch Update (CPU) for January 2009, fixing a total of 41 vulnerabilities in many of its products. Twenty of the vulnerabilities are found in Oracle's database products, while others are found in Oracle's Secure Backup and TimesTen DataServer. Some of the holes in Secure Backup are classified as critical as they are remotely exploitable without authentication.
According to Alexander Kornbrust of Red Database Security, one of the database holes (CVE-2008-5437) allows a user with execute privileges on dbms_ijob to circumvent Oracle Auditing completely, allowing data to be changed with no record of the changes being logged.
For a complete overview of the holes and affected products, see the patch advisory from Oracle.
- Oracle Critical Patch Update Advisory - Jan 2009, Oracle's advisory
- Oracle plans massive update for Tuesday, heise Security report