A number of Oracle’s enterprise level products picked up security updates from the company’s latest quarterly patch release.
|Oracle Fixes 36 Flaws|
One astonishing security flaw finally received a much-needed patch, while a zero-day exploit Oracle itself made public, with exploit code also had to be addressed.
A vulnerability in how Oracle’s PL/SQL Gateway functions could have permitted an attacker, without a username or password, to gain control of a database as a DBA and pull out any and all information contained in the tables.
That problem had been reported by David Litchfield of NGS Software to Oracle in October 2005. Despite the availability of a trivial workaround, Oracle did not include a fix in the ModPL/SQL configuration for six months.
Oracle caused itself some grief by posting a vulnerability to its Metalink site, along with the code necessary to exploit said vulnerability. While such transparency and disclosure is much appreciated by its customers, they likely would have preferred Oracle to release a patch along with that disclosure.
The researchers from Red Database Security in Germany made that point to Oracle, which subsequently removed the Metalink post from the website. Oracle did credit Alexander Kornbrust of Red Database Security for indicating the problem.
This quarter’s patch release from Oracle finally shut down those two flaws, along with 34 others spanning six of Oracle’s products.