Oracle releases 101 patches in quarterly update
They cover flaws in database and app server products, collaboration and e-business suites
Computerworld - Oracle Corp. today released 101 new patches addressing vulnerabilities across its range of database and application server products as well as its collaboration and e-business suites.
Among the vulnerabilities listed are 63 fixes that address flaws in Oracle's database products, 14 aimed at plugging holes in the company's application server products, 13 for vulnerabilities in its e-business suites and nine patches addressing security flaws in the company's PeopleSoft and J.D. Edwards software.
"More than one-third of the vulnerabilities patched in this [critical patch update] are in an optional product and do not affect most customers" a post on Oracle's security blog noted. "It is also worth noting that 22 of the vulnerabilities addressed in this CPU affect Oracle Database, but none of these vulnerabilities impact Oracle Database Client," the blog post said.
As with Oracle's previous security updates, all of today's patches, with the exception of those for its e-business suite, are cumulative, according to the blog. Thus, a customer that implements today's patches will automatically be protected against all flaws announced today as well as those covered in previous security updates, the company added.
The patches are part of Oracle's scheduled quarterly critical patch updates. The last one was in July.
For the first time since moving to a quarterly patch-release schedule in November 2004, Oracle included new documentation with its latest critical patch update. Among the new information is an executive summary that gives a high-level overview of the vulnerabilities addressed with the latest patches. Also included is a vulnerability rating system based on the Common Vulnerability Scoring System (CVSS), which is an emerging standard for rating security flaws. The changes have been introduced in response to customer requests to make Oracle's patching process a little easier to understand.
A total of 45 flaws were listed as being remotely exploitable without requiring authentication by the attackers. Such flaws were highlighted for the first time in Oracle's critical patch updates as part of the company's effort to give customers more vulnerability-related information.
Oracle moved to a quarterly update schedule in November 2004 in response to user demands for a more streamlined patching process. Since then, the company has come a "long way" in its patching processes, said Rich Niemiec, a former president of the International Oracle Users Group and the CEO of The Ultimate Software Consultants, a Lombard, Ill.-based Oracle technology consulting firm. The increased documentation that Oracle started making available with this update also makes it easier for customers to identify relevant patches and "calculate the resources that will be required" to implement the fixes, he said.
One issue of concern for enterprises is that some of the flaws addressed by today's updates appear to be identical to flaws that were supposed to have been patched previously, said Amichai Shulman, chief technology officer at database security firm Imperva Inc. of Foster City, Calif. Of the 22 flaws disclosed today in the Oracle database, at least five appear to be similar to previously addressed issues, said Shulman whose company has helped identify vulnerabilities in Oracle products previously.
"There is something alarming about this trend of the same vulnerability repeating itself in the same database package and the same object," he said.
Read more about Applications in Computerworld's Applications Topic Center.
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- Building an Intelligence-Driven Security Operations Center The openness of today's networks and the growing sophistication of advanced threats make it almost impossible to prevent cyber attacks and intrusions.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!