Oracle Updates New Database for Old Flaws
Oracle's July Critical Patch Update provides fixes for 113 vulnerabilities across its software portfolio, including Java, MySQL and Oracle Database.Oracle released its July Critical Patch Update (CPU) on July 15, providing 113 security fixes impacting multiple applications within its product portfolio. While the security update is new, a pair of vulnerabilities that Oracle is fixing in its newer Oracle 12 database were fixed a year ago in the older Oracle 11 database. Oracle Database received a total of five fixes in the July CPU, including CVE-2013-3751 and CVE-2013-3774, two vulnerabilities that are now being patched for the Oracle 12 database. Those two vulnerabilities were patched in July 2013 for the Oracle 11 database, while the Oracle 12 database was left unpatched. "Patching a critical vulnerability in one product and leaving it unpatched in another for more than a year is certainly questionable," Ross Barrett, senior manager of security engineering at Rapid7, told eWEEK. "It's possible that there are mitigating factors, such as no reports of exploitation, that allowed them to feel like they could take their time. But if so, that has not been disclosed to the security community at large." Amichai Shulman, CTO of Imperva, told eWEEK that, in his view, there are some interesting questions that need to be asked about the two vulnerabilities that were previously fixed for Oracle Database 11 and are now fixed for Oracle 12. One question is whether or not Oracle was aware of these vulnerabilities when the product was shipped out, and if so, should the vendor make customers aware of them?
"Usually vendors do not announce the existence of a vulnerability until they produce a patch," Shulman said. "However in this case, the vulnerability was announced, but for allegedly a different version of the product."