Risk: Medium
Oracle has finally started releasing a multitude of security fixes in a long-awaited and extensive series of patches that constitute its first monthly security update.
In January and February 2004, UK-based security tools firm Next Generation Security Software (NGSSoftware) notified Oracle of 34 security vulnerabilities affecting various versions of its database software. Patches have at last been delivered, along with fixes for further vulnerabilities discovered by other security researchers and Oracle itself.
In total, there are about 100 security fixes repairing an "unbreakable" product, as was publicised a few years ago.
The vulnerabilities affect various versions of Oracle Database Server (including the latest 10g release), Application Server and Enterprise Manager software. Oracle's Collaboration Suite and E-Business Suite 11i contain the vulnerable software and are affected as well.
Some of the flaws might be exploited to compromise a vulnerable system, cause a DoS (Denial of Service), or conduct SQL injection attacks, according to sources. The risk remains unclear because Oracle is providing no details of the various vulnerabilities. It fears that any information would give vital clues to criminal crackers about how to exploit unpatched systems.
NGSSoftware has apparently had a change of policy as well. It is now planning to hold back information on the bugs that it has already discovered in Oracle products for three months, to allow end users a chance to patch their systems. Reading through advisories, some of these bugs are easy to exploit without even having a username or password.