Oracle patch day: 65 security holes plugged
With its July Critical Patch Update (CPU), Oracle has fixed 65 security vulnerabilities in its products. Oracle recommends immediate installation of the patches, as 27 of the holes plugged could be utilized by attackers from the internet. Oracle does not envisage alternative counter-measures beyond installation of the patch.
The updates fix 23 flaws in Oracle's databases: one in the Collaboration Suite, 10 in the Application Server, 20 in the E-Business Suite and associated applications, four weaknesses in the Enterprise Manager, two in the PeopleSoft Enterprise Portal and one in the JD Edwards software. Four of the patches affect exclusively Oracle Database Client-only installations - i.e. installations with no local database. Three of the vulnerabilities fixed in this product permit an attacker to cause the client to crash during connections to a manipulated server. The fourth weakness even permits malicious code to be executed on the client computer by using such a server.
Database specialist Alexander Kornbrust also believes that administrators should install the patches quickly. The security vulnerabilities fixed include one for which an exploit was already published last April. They also fix an error, through which users can make additions, deletions or changes without the correct authorisations. In addition, according to Kornbrust, the updates eliminate a number of SQL injection and cross-site scripting errors.
- Oracle Critical Patch Update - July 2006, Oracle security bulletin