Oracle's latest CPU addresses 26 issues, some of which are vulnerabilities that can be exploited remotely.Oracle has released its first critical patch update of 2008 with 26 new
security fixes.
The update included a total of eight fixes for Oracle database products,
seven new security fixes for the Oracle E-Business Suite, six for Oracle
Application Server, four for Oracle PeopleSoft Enterprise PeopleTools and one
patch for a flaw affecting Oracle Collaboration Suite.
Oracle reported the week of Jan. 7 that it planned
to issue 27 fixes in the latest CPU. But in a statement, Oracle officials said
a patch for a flaw affecting Oracle Enterprise Manager has been put on hold.
"Patch quality is Oracle's foremost priority with each CPU," a
company spokesperson said. "During testing, Oracle's development team
identified a potential problem with a fix affecting Oracle Enterprise Manager
on certain platforms. Per Oracle's policy, this fix was removed from the
January 2008 Critical Patch Update, and will be reissued in a future Critical
Patch Update for all platforms affected by this specific vulnerability."
Two vulnerabilities—both of which affect the Oracle JInitiator component of
Oracle Application Server—registered a CVSS (Common Vulnerability Scoring
System) score of 9.3 out of a possible 10 for clients. Neither vulnerability
affects the server. Of the six vulnerabilities involving Oracle Application
Server addressed in the CPU, five are remotely exploitable without
authentication.
The vulnerabilities affecting the database cannot be exploited without
authentication, but they affect a number of Oracle Database components,
including Advanced Queuing, Core RDBMS (relational DBMS), Oracle Agent, Oracle
Spatial and XML DB.
Seven patches address problems in the company's E-Business Suite, three of
which can be exploited remotely without a user name and password. The patches
plug holes in the CRM Technical Foundation, Mobile Application Server, Oracle
Application Object Library, Oracle Applications Framework, Oracle Applications
Manager and the Oracle Applications Technology Stack components of Oracle
E-Business Suite, the company stated in its advisory.
Four other fixes address problems with Oracle PeopleSoft Enterprise
products, and the final one deals with a problem with the Oracle Ultra Search
component of Oracle Collaboration Suite.
But the issue for many may not be how many patches are issued, but whether
or not database administrators care. A survey of 305 DBAs, consultants and others by database security company Sentrigo
found that just 31 people, or roughly 10 percent of those surveyed, had
deployed the most recent set of CPUs (critical patch updates) from Oracle.
About two-thirds said they had never applied a critical update from Oracle.
Officials at Sentrigo said many DBAs are behind in installing the updates
because of the amount of labor involved and the potential impact of downtime on
their organizations. The quarterly updates can be large; the last CPU in
October included 51 patches.
