Oracle releases 59 patches for security flaws, 28 critical

Computerworld - Oracle Corp. released a set of 59 patches on Monday to fix security vulnerabilities across its entire range of database, application and middleware products.

The patches include fixes for three critical flaws affecting virtually every supported version of the company's Database Server technology.

Todays patches were released as part of the company's scheduled quarterly Critical Patch Updates, and included a total of 28 fixes for critical, remotely exploitable vulnerabilities.

Of the 59 patches announced today, 13 are for security problems in Oracle's suite of database technologies. Three are critical because they address particularly dangerous flaws in all Oracle database server versions, said Josh Shaul, director of product management at Application Security Inc., a New York-based security vendor.

One of the flaws, CVE-2010-0902, allows any user who is authenticated to an Oracle database to gain complete administrative control of it. "They can view the database, modify it or shut down the database server. They can essentially become a database administrator," Shaul said.

The two other critical database flaws can potentially be exploited without a user even needing to be logged into the database. The flaws allow attackers to trigger denial of service (DoS) conditions against a database so as to make it unavailable to legitimate users.

"These are three really killer vulnerabilities that affect the database," Shaul said. Oracle's severity rating for the flaws does not reflect the real nature of the threat they pose, he added.

The Solaris product suite that Oracle acquired from its purchase of Sun Microsystems Inc, meanwhile, accounted for 21 of the patches released today, 7 of which are remotely exploitable.

Seventeen of the patches are for flaws in Oracle's e-business, supply chain, PeopleSoft and JD Edwards product suites, another seven fix flaws in Oracle's Fusion Middleware products, while one patches a hole in Oracle Enterprise Manager Grid control.

The number of patches released today is relatively small compared with some previous releases. In January 2006, Oracle issued 82 patches while it issued 101 in the same year's October update.

In the past, Oracle administrators have been notoriously slow at deploying security patches especially in database environments. Previous studies have shown Oracle environments to often be months behind in deploying the company's security patches even in instances where flaws might present considerable danger.

Much of that reluctance has stemmed from concerns about security patches causing disruptions to production databases, and from the time needed to test and deploy the patches.

More recently, however, there are signs that companies are getting better at deploying Oracle database patches, thanks to the availability of patch management tools, Shaul said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.