released its second security patch for 2005, complete with fixes for its own software, as well as ones for former PeopleSoft/JD Edwards products.
The company issued 15 separate patches for multiple security vulnerabilities. The patches cover holes found in Oracle Database Server, Application Server, Collaboration Suite, E-Business Suite and Enterprise Manager Grid Control for 10g. Most of the patches are cumulative, Oracle said, and are successive from the last patch update back in January.
This is the second update this year since Oracle transitioned to a quarterly security patch release cycle. Unlike previous security advisories, Oracle embedded links to its MetaLink patches within a PDF-based document and included detailed information for each bug.
Under its new Risk Matrix tool, Oracle also assigns a threat level to each patch showing its level of impact and how hard it would be to fix. This patch update includes non-security fixes, because they are interdependent with the other security patches.
Some patches address vulnerabilities found in PeopleSoft EnterpriseOne and PeopleSoft OneWorld, products that Oracle acquired from PeopleSoft at the beginning of the year, after PeopleSoft purchased them from JD Edwards in 2004.
Oracle said the patches also address one vulnerability that popped up in both the Database Server and Application Server products.
"The Risk Matrices show these shared vulnerabilities by specifying the Vuln #sfrom both matrices on a single vulnerability row," Oracle said in its release.
The company said it analyzed each potential vulnerability separately for risk of exploit and impact of exploit, but it did not do any testing to find out if the flaws were part of any large-scale blended attack.
Older Flaws Remain
Despite its best efforts to lock down its software, Oracle still has a large number of unresolved flaws, according to two security experts. One serious flaw centers on Oracle Forms, a PL/SQL based development tool that is part of the Oracle Developer Suite 10g.
Red Database Security analyst Alex Kornbrust recently compiled a list of outstanding vulnerabilities and found about 40 different problems ranging in intensity from low to high, some dating back to 2003. Database security expert Esteban Martmnez Fayo said he also found more than 65 PL/SQL and SQL buffer overflows that had been reported but not fixed.
Both men found new ways to exploit SQL Injection vulnerabilities in Oracle databases. In Kornbrust's paper "SQL Injection in Oracle Forms," an aspect in Oracle Forms called "Query/Where" lets any user modify existing SQL statements. The feature is useful for power users but also dangerous, because any forms user can execute any SQL statement.
The paper recommends two different ways to fix the problem. One is to disable the Query/Where function. The other involves writing a PRE_QUERY and an ON-ERROR trigger for every input field to validate a user's input.
Oracle executives were not immediately available to comment on the SQL Injection vulnerability or on the large number of other flaws found by Kornbrust and Fayo.
Oracle's next regularly scheduled software update is on July 12, followed by another on October 18.