Oracle will release patches addressing 73 vulnerabilities across its product portfolio, including six for its databases next week as part of its quarterly CPU.
Oracle is delivering patches for almost every product in its
portfolio in its quarterly update next week. April's update package is much
larger than the January update where 66 issues were fixed, but this time Oracle
seems to be focusing less on its core database business.
Oracle plans to fix 73 security vulnerabilities, including
six issues in its flagship database software in the next Critical Patch Update,
the company said in its CPU
on April 14. Of the fixed issues, Oracle
classified 36 vulnerabilities as critical, or issues that may be exploited
remotely without requiring a username or password.
April's CPU will contain updates to Oracle Database Server11g
and 10g, Oracle Fusion middleware, Oracle Enterprise Manager Grid Control,
Oracle Siebel CRM, and Oracle Industry Applications. All the suites, E-Business,
Supply Chain Products, PeopleSoft and JD Edwards, will be updated. There will
also be security fixes addressing security flaws in Open Office 3, Star
Office/Star Suite 7 and 8, and the Oracle Sun product suite, including Solaris
and some Java server software, according the Oracle's pre-release announcement.
Just like the last CPU in January, there will be six
database fixes, of which two are considered critical. Similar to the January
update, the vulnerabilities fixed are in components not commonly implemented in
many environments, such as database vault and UIX.
The small number of database fixes despite the overall large
size of the CPU raised some flags. "As Oracle continues to get further and
further away from being a database-only vendor, their attention and dedication
to fixing vulnerabilities on the database platform continues to move in a
downward trend," Alex Rothacker, director of security research for TeamSHATTER,
the research arm of Application Security, told eWEEK.
TeamSHATTER currently has ten open reported database
vulnerabilities with Oracle, most of which are classified as a "pretty high
risk level," Rothacker said. There are other researchers who regularly submit
their vulnerability findings, so it was likely that were other "potentially
critical vulnerabilities" from other researchers that Oracle is not dealing
with, Rothacker said.
There will be nine fixes for Oracle Fusion middleware, of
which six are critical. The middleware patches will include fixes to WebLogic
and JRockit. Of the 18 vulnerabilities fixed in the Oracle Sun products suite,
seven will be critical. The affected Oracle Sun products including Java Dynamic
Management Kit, Open SSO Enterprise, Sun Java System Access Manager, Solaris,
Sun GlassFish Enterprise Server, Sun Java System Application Server, Sun Java
System Access Manager Policy Agent and Sun Java System Messaging Server. There are
also security holes that affected Oracle iPlanet Web Server, formerly Sun Java
System Web Server.
Oracle assigns a standard CVSS base score to each bug fix to
determine severity. The Common Vulnerability Score System considers the impact
of a successful attack in terms of confidentiality, integrity and availability
as well as the preconditions required to exploit the security flaw. The bugs
affecting JRockit in Oracle Fusion and the Sun GlassFish Enterprise Server and
Sun Java System Application Server included in the Oracle Sun Products suite
all have a CVSS score of 10, making them most critical.
There are 14 new security fixes for the PeopleSoft suite, of
which one is critical. Of the eight new patches for JD Edwards, 7 are flagged
as critical and all three Siebel CRM patches are critical. Eight issues will be
addressed in Oracle Open Office Suite, of which seven are critical.
There are four new fixes in the e-business suite, one in
supply chain products suite, and one in industry applications, but none of them
Java SE and Java for Business client software is not
expected to be updated in this CPU. Oracle still has a separate update cycle
for most client-side Java products, even though it appears that there will be
some Java updates as part of the CPU scheduled for Oct. 18. The next scheduled
Java update is June 7, and the next Oracle CPU is a month later, on July 19.
This quarter's CPU is expected on April 19.