Oracle releases 101 patches in quarterly update
They cover flaws in database and app server products, collaboration and e-business suites
Computerworld - Oracle Corp. today released 101 new patches addressing vulnerabilities across its range of database and application server products as well as its collaboration and e-business suites.
Among the vulnerabilities listed are 63 fixes that address flaws in Oracle's database products, 14 aimed at plugging holes in the company's application server products, 13 for vulnerabilities in its e-business suites and nine patches addressing security flaws in the company's PeopleSoft and J.D. Edwards software.
"More than one-third of the vulnerabilities patched in this [critical patch update] are in an optional product and do not affect most customers" a post on Oracle's security blog noted. "It is also worth noting that 22 of the vulnerabilities addressed in this CPU affect Oracle Database, but none of these vulnerabilities impact Oracle Database Client," the blog post said.
As with Oracle's previous security updates, all of today's patches, with the exception of those for its e-business suite, are cumulative, according to the blog. Thus, a customer that implements today's patches will automatically be protected against all flaws announced today as well as those covered in previous security updates, the company added.
The patches are part of Oracle's scheduled quarterly critical patch updates. The last one was in July.
For the first time since moving to a quarterly patch-release schedule in November 2004, Oracle included new documentation with its latest critical patch update. Among the new information is an executive summary that gives a high-level overview of the vulnerabilities addressed with the latest patches. Also included is a vulnerability rating system based on the Common Vulnerability Scoring System (CVSS), which is an emerging standard for rating security flaws. The changes have been introduced in response to customer requests to make Oracle's patching process a little easier to understand.
A total of 45 flaws were listed as being remotely exploitable without requiring authentication by the attackers. Such flaws were highlighted for the first time in Oracle's critical patch updates as part of the company's effort to give customers more vulnerability-related information.
Oracle moved to a quarterly update schedule in November 2004 in response to user demands for a more streamlined patching process. Since then, the company has come a "long way" in its patching processes, said Rich Niemiec, a former president of the International Oracle Users Group and the CEO of The Ultimate Software Consultants, a Lombard, Ill.-based Oracle technology consulting firm. The increased documentation that Oracle started making available with this update also makes it easier for customers to identify relevant patches and "calculate the resources that will be required" to implement the fixes, he said.
One issue of concern for enterprises is that some of the flaws addressed by today's updates appear to be identical to flaws that were supposed to have been patched previously, said Amichai Shulman, chief technology officer at database security firm Imperva Inc. of Foster City, Calif. Of the 22 flaws disclosed today in the Oracle database, at least five appear to be similar to previously addressed issues, said Shulman whose company has helped identify vulnerabilities in Oracle products previously.
"There is something alarming about this trend of the same vulnerability repeating itself in the same database package and the same object," he said.
Read more about Applications in Computerworld's Applications Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts