Oracle ships critical update for database, applications

Oracle Corp. released its latest critical patch update on Wednesday, fixing 51 vulnerabilities in a range of products, including its flagship database line.

Oracle's critical patch updatefixes holes in Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Twenty-seven of the patched vulnerabilities are found in Oracle Database Server, including the most serious vulnerability fixed.

"The most critical, rating 6.5 with the new CVSS 2.0 metric, is a problem in the import utility," said Alexander Kornbrust, managing director of Red Database Security GmbH, which found 13 of the 27 vulnerabilities in Oracle Database Server that are patched with this update.

CVSS 2.0, or Common Vulnerability Scoring System version 2.0, is a rating system developed by the Forum of Incident Response and Security Teams as a way of measuring the severity and urgency of IT vulnerabilities. The vulnerabilities patched by Oracle's latest critical update have CVSS 2.0 ratings from 4.0 to 6.5.

The vulnerability in the import utility could allow an attacker to run code on a database as the user SYS, Kornbrust said. SYS is the most powerful user in an Oracle database, and is able to do and see more than a typical database administrator.

Kornbrust said database administrators can reduce their exposure to these and other vulnerabilities by hardening their databases and installing the minimum amount of features.

The next Oracle critical update is set for release in January.