Freely subscribe to our NEWSLETTER

A raft of Oracle security flaws - which were fixed on Wednesday of this week - are potentially serious and, as a result, Imperva, the data security specialist, is recommending that all users of Oracle’s software products should patch their applications without delay.

According to Amichai Shulman, Imperva’s chief technology officer, the fact that Oracle has issued 33 patches - 10 of which are sealing vulnerabilities in Oracle’s database server offering - indicates the severity of the problem.

"The scale of the problem is such that, if companies do not patch, then they could end up leaking customer account data, including credit and debit card details, to hackers on remote access," he said.

"The patches affect Oracle’s Application Server, Secure Backup, Identity Management, E-Business Suite, Enterprise Manager, WebLogic Server and JRockit, as well as PeopleSoft and Siebel tools," he added.

Shulman noted that two of the flaws in Oracle’s Secure Backup earned scores of 9.0 and 10.0 - out of 10.0 - on the CVSS risk rating. The JRockit flaw also scored a 10.0.

Two vulnerabilities on the Oracle database server, he explained, are remotely exploitable without any authentication being required.

This is, he says, not unheard of but always interesting, as it indicates a vulnerability in the network protocol layer.

Shulman went on to say that these vulnerabilities mean a hacker can attack the database without authenticating to the system or logging in, meaning that a major attack could go undetected by the IT manager of the system concerned.

According to the Imperva CTO, the number of vulnerabilities in the Oracle eBusiness suite - one of the remotely exploitable flaws not requiring authentication - remains consistent with previous releases.