Ziff Davis Internet
News & Resources for the IT Reseller
NewsReviewsTech AnalysisCommentarySecurityLinux/Unix
My Account |  

Oracle Plugs 36 Holes in Critical Patch Update
By Ryan Naraine

Database server giant Oracle on April 18 shipped its scheduled quarterly critical patch update with fixes for 36 security vulnerabilities in several enterprise-facing products.

The mega update includes a fix for a gaping flaw in the Oracle PL/SQL Gateway that was reported to Oracle more than six months ago and was the subject of a war of words between Oracle and database security expert David Litchfield at the Black Hat Federal security conference earlier in 2006.


Fed up with what he described as Oracle’s “backward approach” to dealing with security issues, Litchfield used the spotlight of the January conference to warn that the PL/SQL Gateway flaw could be exploited to gain full database administrator control of the back-end database server.

Litchfield, co-founder of London-based NGSS (Next Generation Security Software), said at the time that an attack could be launched without a user name ID or password and could be used to hijack sensitive information from corporate databases.

In its April CPU, Oracle included a fix for the bug, which affects components of the Oracle Internet Application Server, the Oracle Application Server and the Oracle HTTP Server.

eWEEK.com Special Report: Oracle's Security Woes

The PL/SQL Gateway serves as a proxy for sending queries between the Web server and the database back-end server, and provides an easy target for malicious hackers wishing to bypass certain exclusions to gain access to “excluded” packages and procedures.

PointerClick here to read more about David Litchfield how detailed a “very, very critical” vulnerability in the Oracle PL/SQL Gateway.

After reviewing the Oracle update, Alexander Kornbrust, the CEO of Germany’s Red Database Security, based in Neunkirchen, Germany, said he counted a total of 13 patches for various database flaws.

eWEEK.com Special Report: Database Security

The update, which address SQL injection and privilege escalation issues, also includes fixes for four holes in the Oracle Collaboration Server, 13 bugs in the Oracle E-Business Suite and Applications and two vulnerabilities in the Oracle Enterprise Manager.

Patches for easy-to-exploit vulnerabilities in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne products were also included, Kornbrust said in an interview with eWEEK.

“A lot of the patches are not yet available so it’s difficult to determine just how serious these are and if these flaws are actually fixed,” Kornbrust said, referring to Oracle’s known problems with providing comprehensive patches for publicly reported vulnerabilities.

PointerCheck out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.



Free Hands-On Training Lab
Find out how key features of SBS 2003 can help you open up a new line of revenue. Register now >>

SBS 2003 Sales Reference Card
This handy reference card contains features at a glance, sales objection handling, pricing guidelines & more. Get it now >>

Microsoft Empower for ISVs rewards your big idea with big benefits and support.
Access key development tools at a low cost to help you develop that idea into an innovative application. Learn more >>

Autotask makes your IT business run. Better!
  • Manage your entire business from a single integrated system accessed over the web
  • Track and control service tickets, and efficiently dispatch field service techs
  • Monitor and analyze project profitability by project, customer and type
  • Bill by fixed price, time & materials, block hours or retainers
  • Set up workflow rules and automated notifications
  • Nothing to install. Easy to use. Affordable.
Click here ONLY if you want a personalized demo via the web
(North America only, please)

Attention Microsoft Solution Providers!

Want to gain a competitive edge? Try Microsoft Watch – FREE!

Each week you receive:
  • Microsoft News and Insider Information
  • Expert Analysis
  • Code Names of Upcoming MS Products
  • Year-Ahead Calendar, updated monthly

    Click Here to sign up now for your FREE 14 Day Trial to Microsoft Watch.
  • Add up to $1,200 of value with the new BONUS PACKS.
  • High Performance Storage That Blows Away Competitors.
  • Adaptec Adaptec SATA II RAID Outperforms LSI, Promise, 3Ware
  • Create, manage, and archive all content with EMC
  • Go Pro.Introducing Intel® vPro™ technology.
  • Free on-line courses at Data Center University
  • The Power to Build Great Devices – Windows Embedded
  • Windows gets top EAL 4+ security rating from SAIC.
  • Get the Facts on Linux and Windows Server.
  • Get a FREE Forrester white paper courtesy of Oracle.
  • Free Whitepaper: The future of Identity Management.

    •Catalog Publishing
    •Dealer Management
    •Order Configuration
    •Price Management
    •Sales Management

    View All >

    Search the jobs you want & get the info you need – post your resume here today!

    Powered by Dice
    White Boxes
    MS vs. IBM
    Linux in the Channel
    Stay in the Zone
    Put The Channel Insider on your desktop.
    Subscribe to The Channel Insider: Channel News, Reviews, Resources and more.

    Make your selections below:

    Contract Watch

    The Channel Insider Update

    Preferred e-mail format:

    Enter your e-mail:

    view all newsletters >>
    Channel Insider Quick Links
    Ziff Davis Footer Logo