Showing posts sorted by relevance for query oracle. Sort by date Show all posts
Showing posts sorted by relevance for query oracle. Sort by date Show all posts

Oracle Issued Critical Patch Update (CPU) For 78 Security Holes

Posted by Avik Sarkar On 1/18/2012 11:31:00 pm


As expected Oracle today officially released their January security update. In this critical patch update they have closed 78 security holes.  The company says that these patch day updates address vulnerabilities in "hundreds of Oracle products". 16 of the vulnerabilities patched are remotely exploitable without authentication. Affected products include Oracle Database 10g and 11g, Fusion Middleware 11g, Application Server 10g, Outside In Technology, WebLogic Server, versions 11i and 12 of its E-Business Suite, Oracle Transportation Management, JD Edwards, Sun Ray, VM Virtualbox, Virtual Desktop Infrastructure, MySQL Server, and PeopleSoft Enterprise CRM, HCM and PeopleTools,. A vulnerability in Solaris 9, 10 and 11 Express's TCP/IP is the highest rated of these with a CVSS score of 7.8 out of 10.0.

According to Oracle:- 

Affected Products & Components:-

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below.  The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column.   Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policyis as follows:
Affected Products and VersionsPatch Availability
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3Database
Oracle Database 11g Release 1, version 11.1.0.7Database
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5Database
Oracle Database 10g Release 1, version 10.1.0.5Database
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0Fusion Middleware
Oracle Application Server 10g Release 3, version 10.1.3.5.0Fusion Middleware
Oracle Outside In Technology, versions 8.3.5, 8.3.7Fusion Middleware
Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)Fusion Middleware
Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3E-Business Suite
Oracle E-Business Suite Release 11i, version 11.5.10.2E-Business Suite
Oracle Transportation Management, versions 5.5, 6.0, 6.1, 6.2Oracle Supply Chain
Oracle PeopleSoft Enterprise CRM, version 8.9PeopleSoft
Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1PeopleSoft
Oracle PeopleSoft Enterprise PeopleTools, version 8.52PeopleSoft
Oracle JDEdwards, version 8.98JDEdwards
Oracle Sun Product SuiteOracle Sun Product Suite
Oracle VM VirtualBox, version 4.1Oracle Virtualization Product Suite
Oracle Virtual Desktop Infrastructure, version 3.2Oracle Virtualization Product Suite
Oracle MySQL Server, versions 5.0, 5.1, 5.5Oracle MySQL Product Suite


For More Information Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Issued Security Update of DDoS Vulnerability in Apache HTTPD

Posted by Avik Sarkar On 9/18/2011 02:24:00 pm



Oracle, the giant enterprise database company - and, of course, owner of the erstwhile Sun Microsystems - has just published an out-of-band security update. This is only the fifth time Oracle has issued an alert outside its routine quarterly patch cycle since introducing its own version of Patch Tuesday at the start of 2005.

Description:-
This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems.

Affected Products and Versions:-

  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
  • Oracle Application Server 10g Release 2, version 10.1.2.3.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)


Please note that Oracle Enterprise Manager includes the Oracle Fusion Middleware component that is affected by this vulnerability. Oracle Enterprise Manager is affected only if the affected Oracle Fusion Middleware version (noted above) is being used. Since a vulnerability affecting Oracle Fusion Middleware versions may affect Oracle Enterprise Manager, Oracle recommends that customers apply the fix for this vulnerability to the Oracle Fusion Middleware component of Oracle Enterprise Manager. For information on what patches need to be applied to your environments, refer to Security Alert CVE-2011-3192 Patch Availability Document, My Oracle Support Note 1357871.1.

Patch Availability:-
Patches and relevant information for protection against this vulnerability can be found Here
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

-News Source (Oracle)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Issued Critical Patch Update To Close 88 Security Hole

Posted by Avik Sarkar On 4/20/2012 06:43:00 pm

Oracle Issued Critical Patch Update To Close 88 Security Hole 

As part of its Critical Patch Update (CPU) Oracle released 88 security fixes addressing vulnerabilities in over 35 products in its portfolio. Last CPU of Oracle closed 78 security holes but this time the list added ten more so 78 became 88. Unlike Microsoft, which releases patches every month, Oracle follows a quarterly patch schedule across its entire product portfolio, excluding Oracle Enterprise Linux and Java. This April's Critical Patch Update contains six fixes for the Oracle Database Server, 11 for Oracle Fusion Middleware, 15 in Oracle Sun products, and six in MySQL, the company said in its CPU advisory released Apr. 17. Other affected suites include Oracle Enterprise Manager Grid Control, Oracle e-Business Suite, Oracle Supply Chain, Oracle PeopleSoft, Oracle Industry Applications, Oracle Financial Services, and Oracle Primavera Products.  There are 15 new security fixes for the Oracle Sun Products Suite, five of which could be remotely exploited without the need for a username or password. Of the 88 fixes, 33 were considered critical, meaning they could be remotely exploited without needing a username and password. In contrast, January's CPU had only 16 remote code execution vulnerabilities. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," the company said in the advisory.  



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

XSS in Oracle AS Portal 10g

Posted by Avik Sarkar On 5/03/2011 04:44:00 pm 


I. VULNERABILITY
-------------------------
XSS in Oracle Portal Database Access Descriptor

II. BACKGROUND
-------------------------
Oracle AS Portal is a Web-based application for building and deploying
portals. It provides a secure, manageable environment for accessing
and interacting with enterprise software services and information
resources.

III. DESCRIPTION
-------------------------
Has been detected a reflected XSS vulnerability in Oracle Application
Server, that allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser.

The code injection is done through the DAD name. A DAD (Database
Access Descriptor) is a set of values that specifies how a database
server should fulfill a HTTP request.

IV. PROOF OF CONCEPT
-------------------------
Original request:
http://<oracle-application-server>/portal/pls/<DAD>

Malicious request:
http://<oracle-application-server>/portal/pls/<XSS injection>

Example 1:
http://<oracle-application-server>/portal/pls/"<H1>XSS vulnerability<XSS

In this scenario, the attacker has the difficulty of being unable to
close the HTML tag because he's can not add the character "/" as part
of the code injection (DAD name). However, it is possible to generate
that character without appearing in the injection. Below is an example.

Example 2:
http://<oracle-application-server>/portal/pls/"<img src=""
onmouseover="document.body.innerHTML=String.fromCharCode(60,72,84,77,76,62,60,72,49,62,88,83,83,60,47,72,49,62,32,60,72,50,62,86,85,76,78,60,47,72,50,62);"><XSS

V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, this can leverage to steal sensitive information as
user credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
Tested in Oracle Application Server Portal (Oracle AS Portal) 10g,
version 10.1.2. Other versions may be affected too.

VII. SOLUTION
-------------------------
Install last CPU (Critical Patch Update).

VIII. REFERENCES
-------------------------
http://www.oracle.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
August  11, 2010: Initial release
May     01, 2011: Final revision

XI. DISCLOSURE TIMELINE
-------------------------
August  11, 2010: Discovered by Internet Security Auditors
August  11, 2010: Oracle contacted including PoC.
August  12, 2010: Oracle inform that will investigate
                  the vulnerability.
April   19, 2011: Oracle fixed the vulnerability in the
                  CPU (Critical Patch Update).
May     01, 2011: Sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Released a Mammoth 78 Patches

Posted by Avik Sarkar On 7/16/2011 01:47:00 pm


Oracle is to release a mammoth 78 patches on Tuesday as part of the company's quarterly security update, including 23 fixes for Sun products and 13 for Database Server.
Oracle said in a Critical Patch Release pre-release announcement on Thursday that the patches have been designed to fix flaws across hundreds of its products.
"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products," the firm said.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible."
Two of the 13 vulnerabilities in Oracle Database Server could be exploited remotely and without authentication, as could three in Oracle Secure Backup, according to the firm.
Oracle is also planning 18 new security fixes for Oracle Enterprise Manager Grid Control, 12 for PeopleSoft products, seven for Oracle Fusion Middleware and one each for E-Business Suite and Supply Chain Products Suite.
However, the largest number of patches is reserved for the Oracle Sun Products Suite. Nine of these vulnerabilities could be remotely exploited "over a network without the need for a username and password", the firm warned.
This quarter's patch update will keep administrators busy, but only just trumps Oracle's April update, which addressed 73 vulnerabilities in 25 products, including the Oracle Database 11g, Fusion Middleware, Application Server and People Enterprise platforms.
To see the official Statement of Oracle Click HERE

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Enhances Virtual Desktop Offerings With New Release of Oracle's Sun Ray Software

Posted by Avik Sarkar On 5/10/2011 07:04:00 pm


Virtualization offerings, Oracle today announced Sun Ray Software 5.2.
The latest release of Oracle's server-hosted desktop software is dramatically simpler to install and configure and features improved video, audio, smart card, Virtual Private Network (VPN), and network resiliency.
Sun Ray Software is part of Oracle's complete desktop-to-datacentervirtualization portfolio, allowing customers to efficiently and easily virtualize and manage their full software and hardware stack, from applications to disk.
Easier Deployment and an Enhanced Audio and Video Experience
Oracle's Sun Ray Software virtually eliminates maintenance, upgrade, operational costs and security vulnerabilities associated with traditional desktop environments by centralizing management, data, and applications on a server-hosted environment.
Sun Ray Software enables users to access virtual Windows, Linux, and Oracle Solaris desktop environments through any combination of Sun Ray Clients, PCs or Macs.
Sun Ray Software interoperates with other virtualization technologies and desktop brokers.
New enhancements in Sun Ray Software 5.2 include:
  • Simplified installation and deployment: an integrated installer allows Sun Ray Software to be downloaded and deployed in one, easy-to-install package.
  • Richer multimedia experience: delivers a complete, optimized Windows Media Player experience for Windows XP and Windows Server 2003 that is equal to a standard PC. Optimized multimedia delivery to the local client provides enhanced network utilization and scalability.
  • Real-time audio: provides USB headset support for specific devices; Appliance Link Protocol dynamically optimizes the audio channels to meet application demands, improving audio quality and reducing network bandwidth consumption by 92 percent.
  • Oracle Solaris IPMP support for greater resiliency and load spreading:enables users to leverage Oracle Solaris IP Multipathing (IPMP) to deploy multiple network paths to the server infrastructure for network fault tolerance and load spreading.
  • Sun Ray Client operating software enhancements: additional smart card support, including cards that operate at the ISO-7816 defined voltages of 1.8V, 3V, or 5 Volts; and extended VPN options, including support for Cisco VPN with hybrid authentication.
Supporting Quote
  • "Today's organizations are under more pressure than ever to maximize efficiencies, while minimizing costs," said Wim Coekaerts, Oracle's senior vice president, Linux and Virtualization Engineering. "With Sun Ray Software, IT can centralize the management and maintenance of thousands of thin clients -- reducing cost and complexity, while enhancing security. Innovations in Sun Ray Software 5.2 make it even easier to install and update, while delivering an improved end user audio and video experience."
Supporting Resources
  • Oracle Virtualization
  • Oracle's Sun Ray Clients
  • Sun Ray Software Datasheet
  • Think Thin Blog
  • Oracle Sun Ray Software 5.2 can be downloaded here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Makes OpenOffice.org completely Open Source

Posted by Avik Sarkar On 5/21/2011 01:47:00 am

Oracle's OpenOffice.org office software suite is becoming a full community-based open source project, and the company plans to work with the open-source community on development.

Oracle is relinquishing its tight control over OpenOffice.org, the popular office software suite, and will no longer offer a commercial version.
OpenOffice.org will be moving to a purely community-based open-source project, Oracle said April 15. While Oracle will stop selling a commercial version of OpenOffice, the company intends to continue working with the community on development.
The details about when the move will occur, and why Oracle is making this unexpected change, were not available.
"Given the breadth of interest in free personal productivity applications and the rapid evolution of personal computing technologies, we believe the OpenOffice.org project would be best managed by an organization focused on serving that broad constituency on a noncommercial basis," said Edward Screven, Oracle's chief corporate architect.

While the company said it will continue to "make large investments" in other open-source products, such as MySQL and Linux, it is unclear whether the company will continue to invest in OpenOffice.
"Oracle will continue to strongly support the adoption of open standards-based document formats, such as the Open Document Format," Screven said.
If Oracle retains the OpenOffice trademark, it will continue to have ultimate control over what changes are added into OpenOffice, despite being community-driven.

Despite its claim of a “long history of investing in the development and support of open-source products,” many open-source advocates have viewed Oracle with distrust, especially after its acquisition of Sun Microsystems in 2009. That acquisition brought the popular MySQL database under the database giant’s control, as well as open-source projects including OpenSolaris. Oracle canceled that project in favor of Solaris 11 Express.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Unbreakable Enterprise Kernel Release 2 For Oracle Linux With Linux kernel 3.0 & btrfs

Posted by Avik Sarkar On 3/15/2012 10:37:00 pm

Unbreakable Enterprise Kernel Release 2 For Oracle Linux With Linux kernel 3.0 & btrfs 
Today Oracle officially released its Enterprise Kernel Release 2 for Oracle Linux which incorporates the recently released Linux 3.0 kernel & the newly added file system known as btrfs. Since October of 2010, Unbreakable Linux 2 is the second major update of Oracle’s Linux distribution. It also features technical previews of Linux Containers and Sun-developed DTrace but those features are not yet commercially supported. Enterprise Kernel Release 2 is available to all Oracle Linux subscribers today and is included with Oracle Linux 5 and 6. In a brief interview, Oracle execs said Btrfs, which is standard in Oracle Linux, supports data stores of up to 16 exabytes, is optimized for solid state disks, incorporates data integrity and is simple to administer. Enterprise Kernel 2 was tested on two-socket and Oracle’s most powerful 8 socket systems and demonstrated an impressive 5 million transactions per minute on x86 systems and reportedly offers fastest performance on Intel systems.
Linux 3.0 was the first version of the kernel to support the Btrfs next-generation file system. Btrfs can manage up to 16 exabytes of data in one namespace, which should ease the burden of data management for organizations with that much material. It provides the ability to automatically back up data and a way to do RAID backups without external controllers. It also is optimized for solid-state hard drives, rather than the drives based on spinning disks.
Some key Highlights In This Release Include:-
  • Btrfs file system
  • Performance and scalability improvements
  • Virtualization improvements
  • Transparent Huge Pages and Memory compaction
  • Cgroups improvements
  • Linux Containers
  • OCFS2 improvements
  • Updated Device Drivers
For more information, please see the Unbreakable Enterprise Kernel Release 2 features and benefits document and consult the release notes for more For installation instructions, check out the Getting Started with the Unbreakable Enterprise Kernel installation guide on the Oracle Technology Network.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Released Emergency Update to Patch Java 0day (CVE-2012-4681)

Posted by Avik Sarkar On 8/31/2012 06:06:00 pm

Oracle Released Emergency Update to Patch Java 0day (CVE-2012-4681)

Zero-day vulnerabilities in Java, which was on the spotlight for last few days; takes a new direction. Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. As expected  Oracle has released an emergency update to address those zero-day vulnerabilities. This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.
Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Supported Products Affected

Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below.  Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Affected product releases and versions:
Java SEPatch Availability
JDK and JRE 7 Update 6 and beforeJava SE
JDK and JRE 6 Update 34 and beforeJava SE

Patch Availability Table and Risk Matrix

Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts.

Patch Availability Table

Product GroupRisk MatrixPatch Availability and Installation Information
Oracle Java SEOracle JDK and JRE Risk Matrix

Also Java 7 Update 7 is now available to download for Windows (32- and 64-bit), Linux (32- and 64-bit), Mac OS X (64-bit), Solaris x86 (32- and 64-bit) and Solaris SPARC (32- and 64-bit). JDKs with the updated Java runtimes are also available. Users with Java installed on their systems, whatever operating system, should install the updates as soon as possible because malicious software that uses the vulnerability is already in circulation. For detailed information click here






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Database Firewall Adds Support For MySQL Enterprise Edition

Posted by Avik Sarkar On 1/13/2012 03:43:00 pm



Oracle has released a version of Oracle Database Firewall that adds support for MySQL Enterprise Edition.
Oracle Database Firewall (ODF) is essentially a utility that monitors database activity on the network looking for unauthorized access, SQL injections, and privilege or role escalation.
The software analyses the grammar of SQL statements to check for and prevent SQL injection attacks. It can also be used to show security compliance without the need to change any existing databases or applications that access the data, and means companies can show they’re conforming to requirements such as Sarbanes-Oxley (SOX), Payment Card Industry (PCI), and Health Insurance Portability and Accountability Act (HIPAA).
The firewall comes with a set of reports that can show what’s been happening in terms of access to the database.

The addition of support for MySQL Enterprise Edition is hardly a surprise given the fact that MySQL is now part of Oracle. Other supported databases include Oracle Database 11g, IBM DB2, Microsoft SQL Server, Sybase Adaptive Server Enterprise, and Sybase SQL Anywhere. Other improvements to the new version include ten new reports for regulatory compliance, alongside the ability to modify the layout of existing reports. It is also integrated with Oracle Advanced Security, so even encrypted traffic can be monitored while being sent to Oracle Databases.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search