Oracle Patches Seven Database Flaws Among 66 CPUs

Oracle this week unleashed a torrent of 66 new security patches across its entire portfolio during its quarterly update, including seven Critical Patch Updates.

Three of the vulnerabilities are remotely exploitable without authentication, Oracle says.

Among the seven vulnerabilities affecting Oracle database customers, five were directly for Oracle Database Server. One of these is remotely exploitable without authentication.

"None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed," Oracle reported in its documentation.

One of the other vulnerabilities was for Oracle Secure Backup and another was for Oracle Audit Vault, both of which fixed remotely exploitable vulnerabilities.

"We are seeing fixes for remote execution without authentication, which is very severe," said Amichai Shulman, Imperva CTO, yesterday in a statement. "For example, the Audit Vault vulnerability allows an attacker to bypass authentication and act as a remote administrator to execute any command on a server installed with Audit Vault agent."

While there were a number of important updates made for database customers, Shulman wonders whether Oracle's recent acquisitions have pulled the company off of its focus of locking down database vulnerabilities.

"In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with fewer fixes for more products," Shulman said. "Oracle had a lot of momentum around fixing database vulnerabilities. However, the quarterly patch cycle has seen a slowdown in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year."

Shulman notes that Oracle provides no details about the vulnerabilities that these CPUs are fixing, citing the risk of hackers taking advantage of the flaws to create new exploits. But the lack of information harms cautious database users who need to figure out workarounds until they can finish testing in order to bring patches live, he said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.