Oracle Fixes SQL Vulnerabilities

Oracle has posted patches for its E-Business Suite and Applications 11.0 software to fix multiple, critical SQL vulnerabilities.

The vulnerabilities, which were first disclosed last week by Stephen Kost of security firm Integrigy, affect Oracle Applications 11.0 and 11i, as well as E-Business Suite versions 11.5.1 through 11.5.8-- on all platforms.

On Tuesday, the U.S. Computer Emergency Response Team (US-CERT), part of the Department of Homeland Security, also chimed in with its own alert on the problem.

Oracle rated the risk as high, "as any user with browser access and specialized knowledge can exploit these vulnerabilities," the company said in an advisory posted last week.

The SQL vulnerability allows attackers to hijack a database or application, or execute SQL statements, by inserting SQL code fragments into the input fields of a Web page. Users with Internet-facing application servers are most at risk, according to Integrigy.Oracle has released a patch that can be downloaded from its Metalink support Web site as Note ID 274375.1.