|[January 17, 2013]
Application Security, Inc.'s TeamSHATTER Discovers Ten Database-Related Vulnerabilities In January 2013 Oracle Critical Patch Update
NEW YORK --(Business Wire)--
Security, Inc. (AppSecInc), the leading provider of database
security solutions for the enterprise, today announced that TeamSHATTER
researchers, Esteban Martinez Fayo, Martin Rakhmanov and Qinglin Jiang,
have been credited by Oracle (News - Alert) for discovering and reporting the single
security issue fixed in the Oracle Database and nine out of 14 security
issues fixed in Oracle Enterprise Manager in the January
2013 Oracle Critical Patch Update (CPU). TeamSHATTER researchers
have been credited for reporting vulnerabilities in 30 of the 33 Oracle
CPUs since the program's inception in 2005.
The January 2013 CPU contains a total of 86 security vulnerability fixes
across multiple Oracle products; 45 of the fixes in this CPU are for
vulnerabilities that are remotely exploitable without authentication.
The CPU contains one database fix and 14 issues fixed in Oracle
Enterprise Manager. The database issue and nine of the Oracle Enterprise
Manager fixes are credited to TeamSHATTER.
The database vulnerability that was fixed is in the Spatial Component of
the Oracle database. It allows for a full server takeover and should be
patched immediately. If it is not needed, removing the Spatial Component
is a potential workaround. This vulnerability has a CVSS score of 9.0.
The Oracle Enterprise Manager vulnerabilities include flaws that allow
an attacker to affect the confidentiality and integrity of the database.
The CVSS scores range from 4.3 - 7.5. An analysis and recommended
call-to-action for the database vulnerability and the Oracle Enterprise
Manager vulnerabilities is available here: http://www.teamshatter.com/
"Oracle is making a concerted effort to fix security vulnerabilities
across the product line. The one databae-specific fix has a CVSS score
of 9.0, making it very high-risk, and customers need to deploy patches
ASAP," states Esteban Martinez Fayo, researcher with TeamSHATTER. "And,
even though the fixes in Oracle Enterprise Manager are not as high of a
risk (CVSS scores range from 4.3 - 7.5), 14 fixes is a high number that
should be deployed so organizations are not left open to attack."
This Critical Patch Update also contains 18 new security fixes for
Oracle MySQL. Two of these vulnerabilities allow for a complete takeover
of the database and the hosting server, and the other two
vulnerabilities may be remotely exploitable without authentication,
i.e., may be exploited over a network without the need for a username
and password. It is extremely critical to apply these patches to any
The TeamSHATTER vulnerability knowledgebase is the largest and most
up-to-date offering of its kind. By identifying and remediating critical
database vulnerabilities, TeamSHATTER helps to ensure that AppSecInc
customer data is safe from internal and external threats.
AppSecInc supports every Oracle CPU by updating its market-leading
for auditors and IT advisors and DbProtect
for the enterprise with the appropriate scanning checks and monitoring
filters through its monthly ASAP Update™ (Application Security (News - Alert) Automatic
Protection) process. DbProtect updates will include monitoring filters
for the new security vulnerabilities, enabling customers to protect
sensitive information during the deployment of new patches across their
TeamSHATTER, the research arm of Application Security, Inc., is the
largest dedicated database security, vulnerability and misconfiguration
research team in the world. TeamSHATTER maintains the most comprehensive
knowledgebase of database vulnerability and misconfiguration checks in
the industry and understands how to make security an integral part of an
enterprise's database security and network management infrastructure.
TeamSHATTER regularly publishes security advisories, technical papers
and research information on www.TeamSHATTER.com.
About Application Security, Inc.
AppSecInc is a pioneer and leading provider of database security
solutions for enterprise of all sizes. By providing easy to deploy and
manage, highly scalable software-only solutions - AppDetectivePro for
security and risk professionals, and DbProtect for the enterprise -
AppSecInc helps customers achieve unprecedented levels of data security,
while reducing overall risk and helping to ensure continuous regulatory
and industry compliance. Used by more than 1,300 active commercial and
government customers worldwide, our proven and award-winning enterprise
solutions are backed by the world's most comprehensive database security
knowledgebase from the company's renowned team of threat researchers,�TeamSHATTER.
For more information, please visit:�www.appsecinc.com�and
follow us on Twitter (News - Alert):�www.twitter.com/appsecinc�|
DbProtect and AppDetectivePro are trademarks of Application Security,
Inc. All other product names, service marks, and trademarks mentioned
herein are trademarks of their respective owners.
[ InfoTech Spotlight's Homepage ]