Oracle fixes 88 security flaws in critical patch update

Multiple products are affected by the updates, including Oracle Enterprise Manager, Oracle Database Server, Oracle Fusion Middleware, and Oracle Sun products

Oracle has released a swathe of patches which fix 88 vulnerabilities in various products in its latest quarterly critical patch update (CPU).

The affected software includes Oracle Enterprise Manager, Oracle Database Server, Oracle Fusion Middleware, Oracle Sun products, MySQL, Oracle Enterprise Manager Grid Control, Oracle e-Business Suite, Oracle Supply Chain, Oracle PeopleSoft, Oracle Industry Applications, Oracle Financial Services, and Oracle Primavera Products.

Oracle recommended in its patch notes that its customers implement these fixes as soon as possible.

Many of the vulnerabilities addressed by the update could be exploited by attackers remotely, including three in Oracle Database Server alone.

"Three of these vulnerabilities [in Oracle Database Server] may be remotely exploitable without authentication, [which means that they] may be exploited over a network without the need for a username and password," wrote the firm in the notes.

"One of these fixes is applicable to client-only installations, [which means] installations that do not have the Oracle Database Server installed," it added.

TeamSHATTER, part of database security solutions provider AppSecInc, is credited by Oracle for finding seven of the twelve database-related vulnerabilities addressed by this update.

Alex Rothacker, Director of Security Research, at AppSecInc welcomed the apparent renewed focus on database security from Oracle, but questioned why the company waited for three years before releasing the patches.

"Just when we thought Oracle threw in the towel on fixing database vulnerabilities, they follow up their record low database-related fixes from the last CPU in January with a dozen fixes in the April 2012 CPU.

"While we hope that this is an indication of Oracle's renewed focus on database security improvements, we are quite disappointed that it took them over two and a half years to fix a high-risk vulnerability that we reported to them in October 2009. It is just not acceptable to leave users at risk for that long."

Rothacker also voiced concerns at the large number of remotely executable vulnerabilities in this quarter's update.

"In reviewing this CPU, another tremendous concern I have is that 33 of the 88 vulnerabilities fixed were remotely exploitable without authentication, which means that anybody on the network can exploit these.

"That is a massive amount of flaws of this nature to have across the Oracle product line. Hopefully that is not a trend that we continue to see more of in future CPU cycles."