Update: Oracle offers security fixes, releases password tool

IDG News Service - Oracle Corp. has published a collection of software patches that address security vulnerabilities in a range of the company's products, including its database and application server software. As part of this update, it also released a tool designed to ferret out commonly used default passwords that theoretically could be misused by hackers.

Earlier versions of Oracle's database software included well-known default passwords and user names, for example "scott / tiger". These accounts are also known to have been created by other software, such as application servers, that interact with the database, said Oracle Security Alerts Manager Darius Wiles.

Although these accounts have been locked down in current versions of the database, they may present a problem to some users with older versions of the database or to those who have upgraded from an older version that included the default passwords, he added.

Oracle 10g databases that have been upgraded from Oracle 7, Oracle8i, or Oracle9i may include the default accounts, according to a note accessible to subscribers of Oracle's MetaLink support service.

The password scanner is a SQL (Structured Query Language) script that scans the database and then prints out the names of these well-known accounts if they are unlocked, Wiles said. "This tool is designed to catch those instances and then explain to customers the right thing to do to secure their systems."

Subscribers to MetaLink can find more information on the Default Password Scanner in MetaLink Note 361482.1.

Included in the balance of the update package are 14 fixes for bugs in the Oracle database, several of which could be easily exploited in a widespread manner, according to Oracle.

The company has also released patches for the Oracle Application Server, Collaboration Suite, E-Business Suite, and Enterprise Manager software, as well as for its PeopleSoft PeopleTools software and J.D. Edwards EnterpriseOne Security Server.

Several of these vulnerabilities are "significant" and users should patch their software as soon as possible, said security vendor Symantec Corp. in an alert sent to customers shortly after the updates were published. "No workarounds for these issues have been published by Oracle," Symantec said.

Of particular interest is a fix for a previously disclosed vulnerability in the PLSQL (Procedural Language/Structured Query Language) gateway software that is used to integrate Oracle's database with Web-based applications. Security researcher David Litchfield published a fix for this problem in January, but Oracle had warned users not to deploy his software, saying it would break a number of Oracle products.