Oracle has released its first critical patch update of 2008 with 26 new security fixes.
The update included a total of eight fixes for Oracle database products, seven new security fixes for the Oracle E-Business Suite, six for Oracle Application Server, four for Oracle PeopleSoft Enterprise PeopleTools and one patch for a flaw affecting Oracle Collaboration Suite.
Oracle reported the week of Jan. 7 that it planned to issue 27 fixes in the latest CPU. But in a statement, Oracle officials said a patch for a flaw affecting Oracle Enterprise Manager has been put on hold.
"Patch quality is Oracle's foremost priority with each CPU," a company spokesperson said. "During testing, Oracle's development team identified a potential problem with a fix affecting Oracle Enterprise Manager on certain platforms. Per Oracle's policy, this fix was removed from the January 2008 Critical Patch Update, and will be reissued in a future Critical Patch Update for all platforms affected by this specific vulnerability."
Two vulnerabilities-both of which affect the Oracle JInitiator component of Oracle Application Server-registered a CVSS (Common Vulnerability Scoring System) score of 9.3 out of a possible 10 for clients. Neither vulnerability affects the server. Of the six vulnerabilities involving Oracle Application Server addressed in the CPU, five are remotely exploitable without authentication.
The vulnerabilities affecting the database cannot be exploited without authentication, but they affect a number of Oracle Database components, including Advanced Queuing, Core RDBMS (relational DBMS), Oracle Agent, Oracle Spatial and XML DB.
Seven patches address problems in the company's E-Business Suite, three of which can be exploited remotely without a user name and password. The patches plug holes in the CRM Technical Foundation, Mobile Application Server, Oracle Application Object Library, Oracle Applications Framework, Oracle Applications Manager and the Oracle Applications Technology Stack components of Oracle E-Business Suite, the company stated in its advisory.
Four other fixes address problems with Oracle PeopleSoft Enterprise products, and the final one deals with a problem with the Oracle Ultra Search component of Oracle Collaboration Suite.
But the issue for many may not be how many patches are issued, but whether or not database administrators care. A survey of 305 DBAs, consultants and others by database security company Sentrigo found that just 31 people, or roughly 10 percent of those surveyed, had deployed the most recent set of CPUs (critical patch updates) from Oracle. About two-thirds said they had never applied a critical update from Oracle.
Officials at Sentrigo said many DBAs are behind in installing the updates because of the amount of labor involved and the potential impact of downtime on their organizations. The quarterly updates can be large; the last CPU in October included 51 patches.