Oracle released its so call Critical Patch Update yesterday for numerous products and critical flaws that need to be addressed. Of note is a fix for a serious misconfiguration issue in its E-Business Suite product that hackers can use to have full access to databases that may contain confidential data.
Vulnerabilities addressed in the E-Business Suite included six of which can be exploited remotely without authentication.
Researchers discovered an issue last year on a client’s system and originally thought it was a backdoor left behind by an attacker. In fact, it was part part of a seeded installation. It allows attackers to execute arbitrary SQL commands as the SYS account, which has full privileges. An attacker can hen access everything in a database
An Oracle Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Although cumulative, each advisory describes only the security fixes added since the previous Critical Patch Update advisory.
Some of the fixes included are for patches already released on an emergency basis.Successful attacks have been reported on systems that had failed to apply these patches.
This update contains the following security fixes:
8 for Oracle Database Server
36 for Oracle Fusion Middleware
10 for Oracle Enterprise Manager Grid Control
10 for Oracle E-Business Suite
6 for Oracle Supply Chain Products Suite
7 for Oracle PeopleSoft Products
1 for Oracle JD Edwards Products
17 for Oracle Siebel CRM
2 for Oracle iLearning
2 for Oracle Communications Applications
1 for Oracle Retail Applications
1 for Oracle Health Sciences Applications
19 for Oracle Java SE
29 for Oracle Sun Systems Products Suite
11 for Oracle Linux and Virtualization
9 for Oracle MySQL