Oracle will patch 78 software vulnerabilities across its product portfolio, including the Oracle database and PeopleSoft as part of its quarterly CPU (Critical Patch Update).
Oracle will deliver patches
for almost every product in its portfolio in its quarterly Patch Tuesday update
next week. July's update package is slightly larger than the April update in
which 73 issues were fixed and a number of critical flaws were patched.
Oracle plans to fix 78
security vulnerabilities, including 13 issues in its flagship database software
in the next Critical Patch Update, the company said in its
CPU pre-release announcement
July 14. Of the fixed issues, Oracle
classified 27 vulnerabilities as critical or issues that may be exploited
remotely without requiring a user name or password.
July's CPU will contain
updates to Oracle Database Server 11g and 10g, Oracle Fusion middleware, Oracle
Enterprise Manager Grid Control, Oracle Application Server, Oracle Identity
Management, E-Business suite, Supply Chain product suite and PeopleSoft will be
updated. There will also be security fixes addressing security flaws in the
Oracle Sun product suite, including Solaris, SPARC and VirtualBox, according
the Oracle's prerelease announcement.
This quarter's CPU is
expected July 19.
"I'm glad to see that
Oracle has addressed some of these critical vulnerabilities," Josh Shaul,
CTO of Application Security, told eWEEK.
Of the 13 database fixes,
two are considered critical, and two are applicable to client-only
installations where Oracle Database Server is not installed. The highest CVSS
(Common Vulnerability Scoring System) Base Score for database bugs was 7.1.
The CVSS is used to assign a
score with each disclosed vulnerability to determine a sense of urgency on when
it should be patched. In many organizations, if a vulnerability is not reported
as critical or has a CVSS score of 7.0 and higher, it is less likely to be
considered urgent or worthy of a fix, according to Application Security's
There are three fixes for
Oracle Secure Backup, all of which are critical. The highest CVSS Base Score
was 10, the highest score possible under the system.
There will be seven fixes
for Oracle Fusion middleware, of which two are critical. The highest CVSS score
was also 10. The middleware patches will include fixes to the Oracle Security
Service and JRockit.
Of the 18 vulnerabilities
fixed in the Oracle Enterprise Manager Grid Control, nine may be critical. The
highest CVSS score is 6.8. The E-Business suite has only one fix, which is
critical and rated 4.3 while the single vulnerability in the Oracle Supply
Chain products suite is not critical, and scored a mere 4.0.
"It's disappointing to
see Oracle introducing new vulnerabilities to their customers through these
security products (Database Vault and Enterprise Manager), but it's encouraging
to see them being addressed," Shaul said.
The PeopleSoft update
addresses 12 new fixes, only one of which is remotely exploitable. The severity
appears to be low, as well, as the highest CVSS score was 5.5. The Oracle Sun
suite had the greatest number of bug fixes, at 23 new patches. Nine were
critical, and the highest CVSS score was 10. Bugs were addressed in GlassFish
Server, Solaris Cluster, VirtualBox for running virtual machines, Solaris
operating system and for the SPARC processor.
Java is not included in the
Sun Products suite update as Oracle still has a separate update cycle for
client-side Java products. In the last update, in June, 17