Oracle Releases Critical Updates -- Visual Studio Magazine

Oracle Releases Critical Updates

By Joab Jackson
07/16/2008

Oracle has released the latest quarterly round of critical patches for all its products.

Among the applications being updated are the Oracle database 9i through 11g, Oracle Application Server, Oracle PeopleSoft Enterprise CRM and the Oracle WebLogic Server (formerly BEA WebLogic Server).

Among the vulnerabilities being fixed are:

A library path vulnerability in the Oracle database: This flaw allows Oracle users to execute code with root privileges by overriding the root program that sets user rights, according to security research firm iDefense. The vulnerability, which resides on Unix and Linux platforms, has been assigned the number in the CVE-2008-2613 in the Common Vulnerabilities and Exposures vulnerability database.

A buffer overflow vulnerability in the Oracle database: This flaw allows users to execute code with database user privileges, according to iDefense. A queuing routine does not validate input, allowing an attacker to enter a long string of code that will overflow the buffer and place potentially damaging commands into memory. CVE-2008-2607.

An input validation vulnerability in the Oracle Internet Directory: This flaw can enable a denial-of-service attack and bring down the directory by sending a flood of bogus Lightweight Directory Access Control packets to the program, according to iDefense. CVE-2008-2595.

Oracle releases critical patches in bundles on a quarterly basis. "They are released on the Tuesday closest to the 15th day of January, April, July and October," according to a page explaining the release schedule.

Typically, Oracle announces security fixes only when fixes are available for all the different platforms and versions. For most of Oracle's chief products, such as the Oracle Database Server and the Oracle Application Server, the patches are cumulative, meaning they contain all the fixes from previous critical patch updates. Patches for other products are provided on a one-off basis, meaning older patches will need to be applied independently.

This quarterly patch cycle is the first to assign CVE Identifiers (CVE-IDs) to vulnerabilities, according to Mitre, which oversees CVE management.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (GCN.com).

Printable Format

comments powered by Disqus

Featured

Unlocking Deeper Insights: Expert Advice on Azure Monitoring

As organizations increasingly rely on cloud-native solutions, the need for robust, real-time monitoring tools has never been more pressing.
Free (Non-Commercial) JetBrains Rider vs. Visual Studio 2022 Community Edition

With JetBrains making its Rider and WebStorm IDEs freely available for non-commercial use, Visual Studio 2022 Community Edition has a new competitor, not to mention Visual Studio Code. So what's a (non-enterprise) .NET-centric developer to do now?
Copilot Workspace Does Web App in Minutes, No Coding Required

Here's a taste of our no-coding future, thanks to Copilot AI.
Microsoft Previews Mads Kristensen Keynote at Orlando Dev Conference

Microsoft today previewed a keynote presentation by Visual Studio guru Mads Kristensen at an upcoming developer/IT pro event where he will be joined by other company dev luminaries such as Jon Galloway, Rachel Kang, and James Montemagno.
Syncfusion Open Sources 14 Controls for .NET MAUI

Third-party .NET-centric dev UI tooling specialist Syncfusion this week announced the open sourcing of 14 controls for .NET MAUI, the evolution of Xamarin.Forms that adds support for building desktop apps.