Oracle releases 101 patches in quarterly update
They cover flaws in database and app server products, collaboration and e-business suites
Computerworld - Oracle Corp. today released 101 new patches addressing vulnerabilities across its range of database and application server products as well as its collaboration and e-business suites.
Among the vulnerabilities listed are 63 fixes that address flaws in Oracle's database products, 14 aimed at plugging holes in the company's application server products, 13 for vulnerabilities in its e-business suites and nine patches addressing security flaws in the company's PeopleSoft and J.D. Edwards software.
"More than one-third of the vulnerabilities patched in this [critical patch update] are in an optional product and do not affect most customers" a post on Oracle's security blog noted. "It is also worth noting that 22 of the vulnerabilities addressed in this CPU affect Oracle Database, but none of these vulnerabilities impact Oracle Database Client," the blog post said.
As with Oracle's previous security updates, all of today's patches, with the exception of those for its e-business suite, are cumulative, according to the blog. Thus, a customer that implements today's patches will automatically be protected against all flaws announced today as well as those covered in previous security updates, the company added.
The patches are part of Oracle's scheduled quarterly critical patch updates. The last one was in July.
For the first time since moving to a quarterly patch-release schedule in November 2004, Oracle included new documentation with its latest critical patch update. Among the new information is an executive summary that gives a high-level overview of the vulnerabilities addressed with the latest patches. Also included is a vulnerability rating system based on the Common Vulnerability Scoring System (CVSS), which is an emerging standard for rating security flaws. The changes have been introduced in response to customer requests to make Oracle's patching process a little easier to understand.
A total of 45 flaws were listed as being remotely exploitable without requiring authentication by the attackers. Such flaws were highlighted for the first time in Oracle's critical patch updates as part of the company's effort to give customers more vulnerability-related information.
Oracle moved to a quarterly update schedule in November 2004 in response to user demands for a more streamlined patching process. Since then, the company has come a "long way" in its patching processes, said Rich Niemiec, a former president of the International Oracle Users Group and the CEO of The Ultimate Software Consultants, a Lombard, Ill.-based Oracle technology consulting firm. The increased documentation that Oracle started making available with this update also makes it easier for customers to identify relevant patches and "calculate the resources that will be required" to implement the fixes, he said.
One issue of concern for enterprises is that some of the flaws addressed by today's updates appear to be identical to flaws that were supposed to have been patched previously, said Amichai Shulman, chief technology officer at database security firm Imperva Inc. of Foster City, Calif. Of the 22 flaws disclosed today in the Oracle database, at least five appear to be similar to previously addressed issues, said Shulman whose company has helped identify vulnerabilities in Oracle products previously.
"There is something alarming about this trend of the same vulnerability repeating itself in the same database package and the same object," he said.
Read more about Applications in Computerworld's Applications Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts