Skip the navigation

Oracle releases 101 patches in quarterly update

They cover flaws in database and app server products, collaboration and e-business suites

October 17, 2006 12:00 PM ET

Computerworld - Oracle Corp. today released 101 new patches addressing vulnerabilities across its range of database and application server products as well as its collaboration and e-business suites.

Among the vulnerabilities listed are 63 fixes that address flaws in Oracle's database products, 14 aimed at plugging holes in the company's application server products, 13 for vulnerabilities in its e-business suites and nine patches addressing security flaws in the company's PeopleSoft and J.D. Edwards software.

"More than one-third of the vulnerabilities patched in this [critical patch update] are in an optional product and do not affect most customers" a post on Oracle's security blog noted. "It is also worth noting that 22 of the vulnerabilities addressed in this CPU affect Oracle Database, but none of these vulnerabilities impact Oracle Database Client," the blog post said.

As with Oracle's previous security updates, all of today's patches, with the exception of those for its e-business suite, are cumulative, according to the blog. Thus, a customer that implements today's patches will automatically be protected against all flaws announced today as well as those covered in previous security updates, the company added.

The patches are part of Oracle's scheduled quarterly critical patch updates. The last one was in July.

For the first time since moving to a quarterly patch-release schedule in November 2004, Oracle included new documentation with its latest critical patch update. Among the new information is an executive summary that gives a high-level overview of the vulnerabilities addressed with the latest patches. Also included is a vulnerability rating system based on the Common Vulnerability Scoring System (CVSS), which is an emerging standard for rating security flaws. The changes have been introduced in response to customer requests to make Oracle's patching process a little easier to understand.

A total of 45 flaws were listed as being remotely exploitable without requiring authentication by the attackers. Such flaws were highlighted for the first time in Oracle's critical patch updates as part of the company's effort to give customers more vulnerability-related information.

Oracle moved to a quarterly update schedule in November 2004 in response to user demands for a more streamlined patching process. Since then, the company has come a "long way" in its patching processes, said Rich Niemiec, a former president of the International Oracle Users Group and the CEO of The Ultimate Software Consultants, a Lombard, Ill.-based Oracle technology consulting firm. The increased documentation that Oracle started making available with this update also makes it easier for customers to identify relevant patches and "calculate the resources that will be required" to implement the fixes, he said.

One issue of concern for enterprises is that some of the flaws addressed by today's updates appear to be identical to flaws that were supposed to have been patched previously, said Amichai Shulman, chief technology officer at database security firm Imperva Inc. of Foster City, Calif. Of the 22 flaws disclosed today in the Oracle database, at least five appear to be similar to previously addressed issues, said Shulman whose company has helped identify vulnerabilities in Oracle products previously.

"There is something alarming about this trend of the same vulnerability repeating itself in the same database package and the same object," he said.

Read more about Applications in Computerworld's Applications Topic Center.



Our Commenting Policies