Oracle released 23 security patches that addressed 57 vulnerabilities, of which 21 have been classified as "critical," as part of its Critical Patch Update on Oct. 18. The various vulnerabilities affected hundreds of Oracle products, according to the company.
Oracle calculates a risk score based on the Common Vulnerability Scoring System to assess the severity of vulnerability. The company also has a different risk rating to indicate the likelihood of a complete takeover. Researchers said Oracle was downplaying the severity of some of the patches.
"As usual, Oracle's use of [a] CVSS scoring system takes the scoring of most vulnerabilities down," Imperva CTO Amichai Shulman wrote on the company blog.
October's CPU contained updates to Oracle Database Server11g and 10g, Oracle Fusion middleware including Application Server, Business Intelligence Enterprise Edition, Identity Management and WebLogic, the E-Business Suite, Supply Chain, PeopleSoft, Siebel CRM, Health Sciences Application and the Sun Product Suite. The company also fixed issues in Oracle Linux 5 and Oracle Sun Ray, part of the company's virtualization product suite.
Oracle addressed five vulnerabilities in the database, none of which were considered critical. This would be the lowest number of vulnerabilities patched since the CPU process started in 2005, according to Alex Rothacker, director of security research for Application Security's TeamSHATTER. Noting the research team has identified several vulnerabilities that have not yet been patched by Oracle, Rothacker said the low number of database patches showed Oracle was losing focus on database security improvements, "probably due to many new product offerings and acquisitions."
None of the patches apply to client-only installations. These patches are necessary only for environments where Oracle Database Server is installed, Oracle said in its advisory.
The highest vulnerability rating among database patches had a CVSS score of 6.5 out of 10, Shulman said, noting that it should "probably be higher" because the effects of CVE-2011-3525 is "practically a full takeover of the database server," and it's easy to exploit.
Rothacker was very concerned about a vulnerability in Database Vault that allowed users to bypass security protections provided by the tool (CVE-2011-3511). Database Vault is a security product that is supposed to make Oracle products more secure, but it continues to be "riddled" with vulnerabilities each quarter, he said. "I remain suspicious of Oracle's commitment to secure software," Rothacker said.
Oracle also patched 22 serious vulnerabilities in the Oracle Sun Products Suite, which includes the former Sun Microsystems' Solaris operating system and SPARC servers. Affected software includes Oracle Communications Unified, Oracle GlassFish Server, Oracle OpenSSO, Oracle WaveSet, Solaris and Sparc T3, Netra SPARC T3, Sun Fire and Sun Blade servers. Nine of the vulnerabilities are critical.
A TCP/IP issued in the Solaris LDAP library (CVE-2011-3508) had the highest base core in the entire release, with a 9.3 rating.
Oracle fixed 10 security holes in Oracle Fusion Middleware, five of which may be remotely exploitable without authentication. Oracle Fusion Middleware products include some of the Oracle Database components that had to be patched in this release. Oracle recommended that administrators apply the database patches before fixing issues with Oracle Fusion Middleware products.
Oracle e-Business Suite had five flaws, of which three were critical. Similarly to Fusion middleware, Oracle E-Business Suite products include components from Oracle Database and Oracle Fusion Middleware that was patched in this month's CPU. Oracle recommended that administrators apply the patch to the database and middleware components within the eBusiness suite.
Oracle fixed a security flaw in Supply Chain products and seven in Oracle PeopleSoft Products. None were rated critical. Three security holes were fixed in Oracle Siebel CRM (with one critical vulnerability), and both Oracle Industry Applications flaws were rated critical.
Finally, the critical patch update included patches to fix a flaw in Oracle Linux 5, which was not rated as critical, and one in Oracle Virtualization, which was critical.
Oracle released the patch updates for Java in a separate release. The Java SE release included patches addressing 20 vulnerabilities, 19 of which could be exploited remotely by an unauthenticated attacker. At least one of the vulnerabilities had the highest CVSS score, 10.