Update: Oracle offers security fixes, releases password tool
Fourteen patches, plus a utility that finds unchanged default log-in info
IDG News Service - Oracle Corp. has published a collection of software patches that address security vulnerabilities in a range of the company's products, including its database and application server software. As part of this update, it also released a tool designed to ferret out commonly used default passwords that theoretically could be misused by hackers.
Earlier versions of Oracle's database software included well-known default passwords and user names, for example "scott / tiger". These accounts are also known to have been created by other software, such as application servers, that interact with the database, said Oracle Security Alerts Manager Darius Wiles.
Although these accounts have been locked down in current versions of the database, they may present a problem to some users with older versions of the database or to those who have upgraded from an older version that included the default passwords, he added.
Oracle 10g databases that have been upgraded from Oracle 7, Oracle8i, or Oracle9i may include the default accounts, according to a note accessible to subscribers of Oracle's MetaLink support service.
The password scanner is a SQL (Structured Query Language) script that scans the database and then prints out the names of these well-known accounts if they are unlocked, Wiles said. "This tool is designed to catch those instances and then explain to customers the right thing to do to secure their systems."
Subscribers to MetaLink can find more information on the Default Password Scanner in MetaLink Note 361482.1.
Included in the balance of the update package are 14 fixes for bugs in the Oracle database, several of which could be easily exploited in a widespread manner, according to Oracle.
The company has also released patches for the Oracle Application Server, Collaboration Suite, E-Business Suite, and Enterprise Manager software, as well as for its PeopleSoft PeopleTools software and J.D. Edwards EnterpriseOne Security Server.
Several of these vulnerabilities are "significant" and users should patch their software as soon as possible, said security vendor Symantec Corp. in an alert sent to customers shortly after the updates were published. "No workarounds for these issues have been published by Oracle," Symantec said.
Of particular interest is a fix for a previously disclosed vulnerability in the PLSQL (Procedural Language/Structured Query Language) gateway software that is used to integrate Oracle's database with Web-based applications. Security researcher David Litchfield published a fix for this problem in January, but Oracle had warned users not to deploy his software, saying it would break a number of Oracle products.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!