Oracle fixed 57 security vulnerabilities across its product portfolio, including four bugs for its database software and 20 bugs in the Oracle Sun product suite.
Oracle released 23 security
patches that addressed 57 vulnerabilities, of which 21 have been classified as
"critical," as part of its Critical
on Oct. 18. The various vulnerabilities affected hundreds of
Oracle products, according to the company.
Oracle calculates a risk
score based on the Common Vulnerability Scoring System to assess the severity
of vulnerability. The company also has a different risk rating to indicate the
likelihood of a complete takeover. Researchers said Oracle was downplaying the
severity of some of the patches.
"As usual, Oracle's use
of [a] CVSS scoring system takes the scoring of most vulnerabilities
CTO Amichai Shulman wrote on the company blog.
October's CPU contained
updates to Oracle Database Server11g and 10g, Oracle Fusion middleware
including Application Server, Business Intelligence Enterprise Edition,
Identity Management and WebLogic, the E-Business Suite, Supply Chain,
PeopleSoft, Siebel CRM, Health Sciences Application and the Sun Product Suite.
The company also fixed issues in Oracle Linux 5 and Oracle Sun Ray, part of the
company's virtualization product suite.
Oracle addressed five
vulnerabilities in the database, none of which were considered critical. This
would be the lowest number of vulnerabilities patched since the CPU process
started in 2005, according to Alex Rothacker, director of security research for
. Noting the research team has identified several
vulnerabilities that have not yet been patched by Oracle, Rothacker said the
low number of database patches showed Oracle was losing focus on database
security improvements, "probably due to many new product offerings and
None of the patches apply to
client-only installations. These patches are necessary only for environments
where Oracle Database Server is installed, Oracle said in its advisory.
The highest vulnerability
rating among database patches had a CVSS score of 6.5 out of 10, Shulman said,
noting that it should "probably be higher" because the effects of
CVE-2011-3525 is "practically a full takeover of the database server,"
and it's easy to exploit.
Rothacker was very concerned
about a vulnerability in Database Vault that allowed users to bypass security
protections provided by the tool (CVE-2011-3511). Database Vault is a security
product that is supposed to make Oracle products more secure, but it continues
to be "riddled" with vulnerabilities each quarter, he said. "I
remain suspicious of Oracle's commitment to secure software," Rothacker
Oracle also patched 22
serious vulnerabilities in the Oracle Sun Products Suite, which includes the
former Sun Microsystems' Solaris operating system and SPARC servers. Affected
software includes Oracle Communications Unified, Oracle GlassFish Server,
Oracle OpenSSO, Oracle WaveSet, Solaris and Sparc T3, Netra SPARC T3, Sun Fire
and Sun Blade servers. Nine of the vulnerabilities are critical.
A TCP/IP issued in the
Solaris LDAP library (CVE-2011-3508) had the highest base core in the entire
release, with a 9.3 rating.
Oracle fixed 10 security
holes in Oracle Fusion Middleware, five of which may be remotely exploitable
without authentication. Oracle Fusion Middleware products include some of the
Oracle Database components that had to be patched in this release. Oracle
recommended that administrators apply the database patches before fixing issues
with Oracle Fusion Middleware products.
Oracle e-Business Suite had
five flaws, of which three were critical. Similarly to Fusion middleware,
Oracle E-Business Suite products include components from Oracle Database and
Oracle Fusion Middleware that was patched in this month's CPU. Oracle
recommended that administrators apply the patch to the database and middleware
components within the eBusiness suite.
Oracle fixed a security flaw
in Supply Chain products and seven in Oracle PeopleSoft Products. None were
rated critical. Three security holes were fixed in Oracle Siebel CRM (with one
critical vulnerability), and both Oracle Industry Applications flaws were rated
Finally, the critical patch
update included patches to fix a flaw in Oracle Linux 5, which was not rated as
critical, and one in Oracle Virtualization, which was critical.
Oracle released the patch
updates for Java in a separate release. The Java SE release included patches
addressing 20 vulnerabilities, 19 of which could be exploited remotely by an
unauthenticated attacker. At least one of the vulnerabilities had the highest
CVSS score, 10.