Oracle drops a pile of critical patches in 78-update release

Oracle has released a wave of 78 security updates for its software products all at once, including fixes for a number of vulnerabilities—in products including Oracle Database Server, Solaris, Fusion Middleware, E-Business Suite, and MySQL—that "may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password." While the majority of these bugs don't compromise data security, they could be exploited to crash applications.

The vulnerability in Oracle Database, which affects a number of versions from 10.1 through 11.2, is in the database's listener program—which accepts remote commands from other applications. The listener program has been the source of a number of vulnerabilities, dating back at least ten years. While the vulnerability doesn't reveal data in the core database, it can be used to deny access to the database by other applications. There's also a fix for a vulnerability in the core DBMS in Oracle Database of a less critical nature that is not exploitable without authentication—but "has a significant non-security component."

Solaris also had eight patches released, with some going all the way back to Solaris 8 in scope. One TCP/IP vulnerability (affecting Solaris 9, 10, 11 and Solaris Express) would allow a remote attacker to completely crash the operating system. And a flaw in Solaris' Kerberos implementation, executable with single authentication, could allow a full owning of the system. Other less severe holes patched in Solaris include vulnerabilities in Solaris' RPC services, kernel, and secure shell (SSH) daemon.