Oracle closes 51 holes
As announced, Oracle has released its Critical Patch Update for January of 2007, though only 51 patches were released, one fewer than described in the recently launched pre-release announcement. A number of products ranging from Oracle Database to Oracle Application Server, Oracle Collaboration Suite, and Oracle Enterprise Manager are affected. The problems remedied include SQL injection holes and buffer overflows that could be exploited to inject code or take down a server.
17 vulnerabilities have been remedied in the vendor's database products alone, some of which could be exploited over networks to manipulate the server. According to database security specialist Alexander Kornbrust, it took Oracle 1,918 days to remedy a hole that attackers could exploit to to bypass a server's default index page and list directory contents by adding a number of slashes to a URL.
As in the previous CPU, the security advisory includes a risk matrix and an executive summary to help companies decide how quickly a patch should be installed, if at all.
- Oracle Critical Patch Update - January 2007, Oracle's description of the updates
- Details Oracle Critical Patch Update January 2007, brief description by Alexander Kornbrust