Risk: Medium
Oracle Corp. has issued a "critical patch update" to address 23 holes in its database and application server products.
The patches were released as part of Oracle's first quarterly patching cycle, towards the end of 2004, and fix a series of undisclosed flaws ranging from manipulation of data, exposure of sensitive information, privilege escalation and denial-of-service attacks.
The vulnerabilities affect users of the Oracle Database 10g Release 1, Oracle9i Database Server, Oracle Application Server, Oracle9i Application Server, Oracle Collaboration Suite and Oracle E-Business Suite and Applications Release.
In an advisory document, Oracle said the first quarter patch update is a cumulative update that also contains non-security fixes that are required because of interdependencies on the security fixes.
Secunia, a private security research outfit, rates the flaws as "moderately critical" and warned that exploitation could lead to PL/SQL injection attacks.
Oracle's alert did not provide specific information on the attack scenarios and one of the private firms that reported the vulnerabilities said it would withhold details about the flaws until April 18 2005.
The three-month window will allow Oracle database administrators the time to test and implement the patch set before details are released publicly.
Secunia's advisory contains minor details of the bugs, which include a boundary error in the Networking component that can be exploited by malicious database users to crash the database via a specially crafted connect string.
Another error in the Spatial component can potentially be exploited to disclose information, manipulate data, or cause a DoS condition.
The next batch of patches from Oracle is scheduled for April 12 2005.
Oracle had originally announced it would release patches on a monthly schedule, but the company shifted away from that plan in November 2004 in favour of the quarterly cycle.