Deksoftindo

Oracle has dropped the first quarterly critical patch update for 2009 — with patches for 41 vulnerabilities in a wide range of database server products.

The January 2009 CPU includes 20 new security fixes for the company’s flagship database product lines, 4 new security fixes for the Oracle Application Server, 9 vulnerabilities in Oracle Secure Backup, 4 new security fixes for the Oracle Applications Suite, and 6 new security fixes for the PeopleSoft and JDEdwards Suite.

• 10 new security fixes for the Oracle Database.  None of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.  2 of these fixes are applicable to client-only installations, i.e. installations that do not have an Oracle Database installed.
• 9 new security fixes for the Oracle Secure Backup product.  All of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.
• 1 new security fix for the Oracle TimesTen Data Server.  This vulnerability is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.

According to Alexander Kornbrust from Red Database Security, the most critical bug could allow any user with execute privileges on dbms_ijob (e.g. DBA or hacker/user with DBA privs) to bypass Oracle Auditing completely.

This means no traces in the AUD$ and/or the operating system! All databases are affected.

Risk matrix definitions, including CVSS scores for all the vulnerabilities, are included in Oracle’s advisory.

* Image source: Oracle Security at Amazon.com.

*source http://blogs.zdnet.com