Oracle has shipped a monster critical patch update with fixes for more than 100 security vulnerabilities in a wide range of database and server products.
The new-look bulletin, which includes CVSS (Common Vulnerability Scoring System) severity scores, patches about 120 bugs in the Oracle Database Server, Oracle Application Server, Oracle Application Express, Oracle Collaboration Suite, Oracle E-Business Suite, Oracles PeopleSoft Enterprise, and Oracles JD Edwards EnterpriseOne applications.
According to Eric Maurice, security manager in Oracles Global Technology Business Unit, more than one-third of the vulnerabilities covered in the quarterly patch release are in an optional product (35 vulnerabilities for Oracle Application Express) and do not affect most customers.
The October batch is the largest CPU released by the Redwood Shores, Calif., vendor since the quarterly release schedule was implemented in January 2005.
Cesar Cerrudo, CEO of Argeniss, a database security research company in Buenos Aires, Argentina, said the most serious bug affects Oracle Application Express (formerly called Oracle HTML DB) and could be exploited remotely without username/password authentication. The bug carries a CVSS base score of 7.0, the highest score in the entire CPU.
There are 22 different patches for the companys flagship Oracle Database product, but none is considered remotely exploitable without authorization. The highest CVSS score for the Oracle Database flaws is 4.2.
The vendor-neutral CVSS standard is used to compute severity scores strictly from metrics and formulas. Oracle offers two CVSS scores—on a scale of 1 to 10—to help customers determine which flaws are considered high-risk.
The Oracle CPU has undergone a significant makeover aimed at making it easier for customers to read and understand the information in the alerts. In addition to CVSS scores, it also features an extra column that explains whether vulnerabilities can be exploited remotely without user name and password authentication and an executive summary detailing whats being fixed in tabular form.
"Whats amazing is there are still a lot of unpatched vulnerabilities, even after this big batch," Cerrudo said in an interview with eWEEK. "There are still more than 50 unpatched bugs that we reported to Oracle," he added.