Oracle releases critical patches for database security

From InfoWorld: Oracle released a set of 59 patches on Monday to fix security vulnerabilities across its entire range of database, application, and middleware products.

The patches include fixes for three critical flaws affecting virtually every supported version of the company's Database Server technology.

They were released as part of Oracle's scheduled quarterly Critical Patch Updates, and included a total of 28 fixes for remotely exploitable vulnerabilities, which it considers to be a critically important flaw because it allows for systems to be exploited over the network without the need for a username or password.

Of the 59 patches announced today, 13 are for security problems in Oracle's suite of database technologies. Three are critical because they address particularly dangerous flaws in all Oracle database server versions, said Josh Shaul, director of product management at Application Security, a New York-based security vendor.

One of the flaws, CVE-2010-0902, allows any user who is authenticated to an Oracle database to gain complete administrative control of it. "They can view the database, modify it, or shut down the database server. They can essentially become a database administrator," Shaul said.

The two other critical database flaws can potentially be exploited without a user even needing to be logged into the database. The flaws allow attackers to trigger denial of service (DoS) conditions against a database so as to make it unavailable to legitimate users.

View: Article @ Source Site