Oracle on Tuesday patched 41 vulnerabilities, including 17 impacting its flagship Oracle database product, in its April Critical Patch Update (CPU) round of security fixes.
This amounts to a "medium sized" patch cycle for Oracle, Amichai Shulman, chief technology officer at database security vendor Imperva, told SCMagazineUS.com.
In addition to the database product, Oracle released 11 fixes for its Business Suite and associated applications, six for the Oracle Siebel Enterprise Suite and three each for its Application Server and PeopleSoft-JDEdwards Suite. It also fixed bugs in its Enterprise Manager, Enterprise Search/Ultrasearch product and Collaboration Suite.
Fourteen of the vulnerabilities can be exploited remotely without authentication, the company said in its security alert. These include seven affecting the E-Business Suite, three impacting the Siebel Enterprise product, two impacting the Oracle Application Server, one each affecting the Oracle database and the Application Express product.
Exploiting these bugs would allow an attacker to take over the affected system via a network without needing a username or password, the company said.
“This basically means that your database is a sitting duck unless you deploy this patch," Slavik Markovich, CTO of Sentrigo, told SCMagazineUS.com. "The last we saw of those was, I believe, two CPUs ago."
Shulman said one of the database vulnerabilities fixed in this round allows an outside attacker to perform an activity in the database server without the activity being reported by the internal audit trail mechanism.
"That's an example of why enterprises should start using external auditing mechanisms for their database servers," he said. “There will always be vulnerabilities in the software products enterprises are trying to protect and they can't rely just on the internal auditing mechanisms.”
Oracle rated one of the Application Server vulnerabilities a 9.3 (out of 10) on its vulnerability scoring system. This flaw, which is applicable to client-only installations, affects only the client portion of Oracle Application Server, according to Oracle. Most of the remaining vulnerabilities were of low to medium in severity, the company said.
All six of the Siebel Enterprise security fixes are for the product's SimBuilder component. SimBuilder is a standalone component used to prepare and deliver training materials and may not be deployed in all Siebel enterprise installations, Oracle said.
Oracle has on several occasions, including this round, found multiple instances of a single vulnerability within its products and patched them separately instead of fixing them through the package completely, Imperva's Shulman said.
"In a quick search, I found five of those when they fixed only part of the problem, he said, adding that time constraints likely are to blame for this approach.