Oracle has finally released vital security patches for several vulnerabilities reported last month.
Customers should download the patches to fix holes in current and past versions of Oracle's database, application server and management tools, the company said in a security bulletin. It described the holes in its database and application server as "high risk". A hacker could potentially exploit them to access a server without needing a user account, Oracle said.
Many of the holes were discovered in January by security specialist David Litchfield of Next Generation Security Software, who has criticised Oracle for not releasing the patches sooner. They were ready for release more than two months ago, according to Litchfield, but Oracle delayed their release while it prepared a new system for releasing security patches. Two weeks ago, Oracle switched to a new, monthly cycle for releasing patches.
Tuesday's bulletin lists all the affected products, which include the Oracle8i, Oracle9i and 10g versions of its database; the Oracle9i and 10g versions of its application server, and Enterprise Manager Grid Control 10g and Enterprise Manager Database Control 10g. Exact version numbers are listed in the bulletin [pdf].
Customers of the Oracle Collaboration Suite and Oracle E-Business Suite 11i were advised to also patch the database and application server components of those products.