Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The patches fix vulnerabilities in the Oracle Database Server, Oracle Application Server, Oracle E-Business Suite and Applications, Oracle Enterprise Manager and Oracle Siebel Enterprise, according to the company. The patches also covered vulnerabilities in Oracle PeopleSoft and JDEdwards Suite and the Oracle BEA Products Suite, according to the Oracle update advisory.“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible,” the advisory said.The worst problems fixed had mainly to do with the ability to exploit a flaw without valid credentials. The highest severity rating (10.0) went to Jrockit, part of the Oracle BEA Products Suite, and Secure Backup HTTP, a component of the Oracle Database. Both of these components had vulnerabilities that could be remotely exploitable without authentication – that is, able to be exploited over a network without the need for a username and password"They [the patches] indicate a vulnerability in the network protocol layer," Rob Rachwald, director of marketing at Imperva, told SCMagazineUS.com in an email. "It's possible that the attack could go undetected. Since this is a protocol level attack, tools that monitor only SQL activity, native audit solutions, or solutions that have visibility only to internal host based activity, will not have any indication that the server is under attack."Oracle offered some possible workarounds for organisations that cannot immediately apply the patches. “It may be possible to reduce the risk of successful attack by restricting network protocols required by an attack,” the advisory said. “For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack.”Unfortunately, both of these approaches may break application functionality, according to Oracle's advisory. It recommended that users test changes on non-production systems, and said neither approach should be considered a long-term solution.The Oracle patches hit the same day as Microsoft fixed vulnerabilities in its DirectShow and Video ActiveX components, part of the regular Microsoft monthly security updates. The next set of Oracle patches will come in October.See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.