Risk
4/14/2008
01:13 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Oracle Plans 41 Patches For Tuesday

The number of published proof-of-concept exploits for Oracle products last year supports research noting an increase in attacks on applications.

Oracle said last week that it will be releasing patches for 41 vulnerabilities in its database software products on Tuesday, April 15.

The Critical Patch Update contains 17 security fixes for the Oracle Database, three security fixes for Oracle Application Server, 11 security fixes for the Oracle E-Business Suite, one security fix for the Oracle Enterprise Manager, three security fixes for Oracle PeopleSoft Enterprise products, and six security fixes for Oracle Siebel SimBuilder products.

Of these, 15 can be exploited remotely without authentication.

The following Oracle products are affected: Oracle Database 11g, version 11.1.0.6; Database 10g Release 2, versions 10.2.0.2, 10.2.0.3; Oracle Database 10g, version 10.1.0.5; Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV; Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0; Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0; Oracle Application Server 10g (9.0.4), version 9.0.4.3 Oracle Collaboration Suite 10g, version 10.1.2; Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.4; Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2; Oracle PeopleSoft Enterprise PeopleTools versions 8.22.19, 8.48.16, 8.49.09; Oracle PeopleSoft Enterprise HCM versions 8.8 SP1, 8.9, 9.0; Oracle Siebel SimBuilder versions 7.8.2, 7.8.5

Security researchers have noted that cyber attacks now tend to focus more on applications than on operating system or network vulnerabilities. The number of published proof-of-concept exploits for Oracle products last year, compared to previous years, seems to support that contention.

Mil0worm.com, a security vulnerability site, listed 21 proof-of-concept exploits for Oracle software in 2007, compared to 5 in 2006 and 3 in 2005. So far in 2008, the site lists 4 Oracle-related vulnerabilities.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0279
Published: 2015-03-26
JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.

CVE-2015-0635
Published: 2015-03-26
The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 12.2, 12.4, 15.0, 15.2, 15.3, and 15.4 and IOS XE 3.10.xS through 3.13.xS before 3.13.1S allows remote attackers to spoof Autonomic Networking Registration Authority (ANRA) responses, and consequently bypass intended device an...

CVE-2015-0636
Published: 2015-03-26
The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 12.2, 12.4, 15.0, 15.2, 15.3, and 15.4 and IOS XE 3.10.xS through 3.13.xS before 3.13.1S allows remote attackers to cause a denial of service (disrupted domain access) via spoofed AN messages that reset a finite state machine,...

CVE-2015-0637
Published: 2015-03-26
The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 12.2, 12.4, 15.0, 15.2, 15.3, and 15.4 and IOS XE 3.10.xS through 3.13.xS before 3.13.1S allows remote attackers to cause a denial of service (device reload) via spoofed AN messages, aka Bug ID CSCup62315.

CVE-2015-0638
Published: 2015-03-26
Cisco IOS 12.2, 12.4, 15.0, 15.2, and 15.3, when a VRF interface is configured, allows remote attackers to cause a denial of service (interface queue wedge) via crafted ICMPv4 packets, aka Bug ID CSCsi02145.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.