Oracle's CPU Fixes DBMS Vulnerabilities

Just lately, Oracle released its first Critical Patch Update or CPU for 2012. This specific update dealt with a minimum of Seventy eight problems spanning its product line. The MySQL database includes the most variety of fixed flaws and came in at 27, as per an ESecurityPlanet.com statement . Next was The Sun Product Suite with 17 security updates. These changes contained updates for the GlassFish Enterprise Server and Solaris. Eleven security updates were included for Oracle's Fusion Middleware. The products of JD Edwards had 8 updates, while Oracle E-Business Suite had Three security updates.

Close to the bottom was in fact the Oracle Database Server which demonstrated merely Two flaws. This was irrespective of details from Oracles researchers stating there were numerous security problems that were high-priority. This CPU was very important for the IT arena, for technicians presently using the operating systems as well as for those enrolled in oracle middleware training classes.

Expert feedback

Application Inc.'s Director of Security Research, Alex Rothacker exhibited surprise at the minimal quantity of database flaws resolved in the latest CPU. He mentioned that the volume of fixes has been diminishing over the last couple of years , but he continued to be surprised that there weren't other solutions for its DBMS this year. Rothacker reported that even though the two of these were critical, some other additional bugs are not attended to in January's CPU. He also said that they (TeamSHATTER) have identified nine further vulnerabilities, some of which are as critical as the two which were fixed. Oracle just lately updated their Firewall to guard its clients against database assaults and SQL injections.

The manager of security in the global technology business unit of Oracle, Eric Maurice explained that the corporation considered both issues that were resolved in January's CPU to be especially crucial. Getting these flaws getting corrected is important since the quantity of IT professionals signing up for oracle database admin training is growing.

The 2 flaws

CVE-2012-0072 was the flaw identified by Oracle in the Database patch summation. In a recent blog post, Maurice stated that this specific flaw could be easily exploited, and might lead to the database shutting down. Having said that, this takes place without the integrity or confidentiality of the information becoming jeopardized. Weaknesses along these lines could possibly allow unauthorized attackers to carry out a denial of service attack on the database that is targeted, exposure to the internet to provide an example.

Another defect identified by Oracle was CVE-2012-0082. This defect concerned a matter in Systems Change Number (SCN's), which are designed to identify database transactions. Maurice stated that in November 2011 certain correspondents from InfoWorld got into contact with Oracle and told them that across a large number of instances it it appeared that the SCN of a specific database might expand at a very high pace. And this disproportionate value of the SCN can be circulated to various other databases. This could be carried out through database links. Through a blog post, Maurice spelled out that in keeping with its procedures, Oracle addressed this problem as a security bug, since it contained security ramifications.