Application Security, Inc. to Support Latest Oracle Critical Patch Update for the Oracle Database

April 15, 2010 - PRLog -- NEW YORK ─ Application Security, Inc., the leading provider of database security, risk and compliance solutions (SRC) for the enterprise, today announced that it will support Oracle's April 2010 CPU (critical patch update) for the Oracle database.

The latest CPU contains 47 security vulnerability fixes across multiple Oracle products, eight of which are specific to the Oracle database. One of the eight database vulnerabilities, affecting the Oracle Internet Directory, has been given a CVSS (Common Vulnerability Scoring System) score of 7.5 out of 10. None of the vulnerabilities can be remotely exploited without authentication or without the need for a username and password. AppSec implements support for every CPU ensuring the highest level of protection and performance for Oracle database users.  

Since 2004, Team SHATTER, Application Security, Inc.'s leading database security research team has reported more than 80 database-related vulnerabilities to Oracle. The company’s agentless approach helps Oracle customers streamline database risk assessment and manage critical information assets for successful database audits.

As it does every quarter, Application Security, Inc. uses its monthly ASAP Update™ (Application Security Automatic Protection) process to enhance its market-leading solutions: AppDetectivePro for auditors and IT advisors - and DbProtect for the enterprise with Oracle’s CPU.  Updates include monitoring filters for new security vulnerabilities, enabling customers to protect themselves during the deployment of new patches across their database infrastructure.  

“AppSec is committed to offering Oracle and AppSec customers with the most up-to-date vulnerability checks and protection, said Alex Rothacker, Manager, Team SHATTER, AppSec. “Our research is critical in ensuring that enterprise database environments remain secure and in compliance with the latest regulations.”

AppSec’s Team SHATTER has identified the following vulnerabilities as high risk:

•   CVE-2010-0860 is a vulnerability that allows for complete takeover of the database, operating system and server. The vulnerability requires an authenticated user with ‘CREATE USER’ privileges – which are typically only assigned to higher privileged users. An exploit escalating privileges, by taking advantage of some of the other vulnerabilities fixed in this CPU, will allow very low privileged users to completely take over a server.

•   CVE-2010-0866 and CVE-2010-0867 are the Zero Day Vulnerabilities that were unveiled at the Black Hat Conference in February. This vulnerability permitted an attacker the ability to escalate their privileges and become a system database administrator (sysdba) and take control of Oracle databases 10g, 10gR2, 11g, or 11gR2.

# # #

About Application Security, Inc.
AppSec is the leading provider of database security, risk and compliance (SRC) solutions for the enterprise. AppSec’s agentless approach - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - delivers the industry’s most scalable database SRC solution and is in use around the world in the most demanding environments by over 2,000 customers. The company was named to Inc. Magazine’s 2007 (Inc. 500) and 2008 list of America’s Fastest Growing Private Companies, and was also named to the 2008 Deloitte Technology Fast 50 by Deloitte & Touche.

For more information, please visit www.appsecinc.com.

DbProtect and AppDetetectivePro are trademarks of Application Security, Inc. All other product names, service marks, and trademarks mentioned herein are trademarks of their respective owner.