Oracle releases 101 patches in quarterly update
They cover flaws in database and app server products, collaboration and e-business suites
Computerworld - Oracle Corp. today released 101 new patches addressing vulnerabilities across its range of database and application server products as well as its collaboration and e-business suites.
Among the vulnerabilities listed are 63 fixes that address flaws in Oracle's database products, 14 aimed at plugging holes in the company's application server products, 13 for vulnerabilities in its e-business suites and nine patches addressing security flaws in the company's PeopleSoft and J.D. Edwards software.
"More than one-third of the vulnerabilities patched in this [critical patch update] are in an optional product and do not affect most customers" a post on Oracle's security blog noted. "It is also worth noting that 22 of the vulnerabilities addressed in this CPU affect Oracle Database, but none of these vulnerabilities impact Oracle Database Client," the blog post said.
As with Oracle's previous security updates, all of today's patches, with the exception of those for its e-business suite, are cumulative, according to the blog. Thus, a customer that implements today's patches will automatically be protected against all flaws announced today as well as those covered in previous security updates, the company added.
The patches are part of Oracle's scheduled quarterly critical patch updates. The last one was in July.
For the first time since moving to a quarterly patch-release schedule in November 2004, Oracle included new documentation with its latest critical patch update. Among the new information is an executive summary that gives a high-level overview of the vulnerabilities addressed with the latest patches. Also included is a vulnerability rating system based on the Common Vulnerability Scoring System (CVSS), which is an emerging standard for rating security flaws. The changes have been introduced in response to customer requests to make Oracle's patching process a little easier to understand.
A total of 45 flaws were listed as being remotely exploitable without requiring authentication by the attackers. Such flaws were highlighted for the first time in Oracle's critical patch updates as part of the company's effort to give customers more vulnerability-related information.
Oracle moved to a quarterly update schedule in November 2004 in response to user demands for a more streamlined patching process. Since then, the company has come a "long way" in its patching processes, said Rich Niemiec, a former president of the International Oracle Users Group and the CEO of The Ultimate Software Consultants, a Lombard, Ill.-based Oracle technology consulting firm. The increased documentation that Oracle started making available with this update also makes it easier for customers to identify relevant patches and "calculate the resources that will be required" to implement the fixes, he said.
One issue of concern for enterprises is that some of the flaws addressed by today's updates appear to be identical to flaws that were supposed to have been patched previously, said Amichai Shulman, chief technology officer at database security firm Imperva Inc. of Foster City, Calif. Of the 22 flaws disclosed today in the Oracle database, at least five appear to be similar to previously addressed issues, said Shulman whose company has helped identify vulnerabilities in Oracle products previously.
"There is something alarming about this trend of the same vulnerability repeating itself in the same database package and the same object," he said.
Read more about Applications in Computerworld's Applications Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts