Oracle Patches Database Vulnerabilities | eWeek

Oracle Patches Database Vulnerabilities

Écrit par
Michael Myser
Michael Myser
Apr 13, 2005
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Oracle on Tuesday released its now-quarterly patch update, plugging vulnerabilities in 16 different products and applications, including the first patches for PeopleSoft applications since it completed the purchase of the company on Jan. 7, 2005.

Security experts see database vulnerabilities as an emerging threat that attackers, enterprises and database vendors like the Redwood Shores, Calif. database giant Oracle Corp. are all beginning to recognize.

“I would argue that databases are becoming much more understood by attackers, and they are significantly more valuable to the criminal element,” said Jose Nazario, a security researcher for Arbor Networks Inc. in Lexington, Mass.

“Databases are the basis for compliance, and that makes this unique,” said Ted Julian, vice president of marketing for Application Security Inc. “Its where the crown jewels are stored, so its added an urgency that other parts of the business didnt see.”

The most recent patches from Oracle address security vulnerabilities found in Oracle Database 10g, several versions of Oracles database servers and application servers, Oracle Collaboration Suite, E-Business Suite and Enterprise Manager.

In addition, Oracle created six patches for PeopleSoft EnterpriseOne Applications and a single patch for OneWorldXe/ERP8 Applications. For all products except E-Business Suite, the patches contain fixes from previous updates.

The vulnerabilities are rated in a “Risk Matrix,” which ranks the impact of each vulnerability on “confidentiality, integrity and availability,” as well as how difficult Oracle expects the patch to be to complete.

“Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage,” Oracle wrote in an accompanying policy statement. Its an ongoing debate in the security community as to whether the level of detail provided by Oracle and other application developers is appropriate. Oracle states that it doesnt provide “specifics of vulnerabilities beyond what is provided in the Critical Patch Update.”

“Its my opinion that that vagueness may actually work to their advantage,” said Shane Coursen, senior technology consultant for Kaspersky Lab Inc., a security firm in Woburn, Mass. “When a security vulnerability is discussed at length, I dont think for a second bad guys arent learning from those discussions.”

Coursen does believe, however, that Oracle is still learning what is appropriate and developing its patch processes on the fly, as its only the companys second official quarterly “patch day.”

/zimages/4/28571.gifTo read more about Oracles shift to a quarterly patching cycle,click here.

“Oracle may not yet be fully in the mode of having to provide update patches,” said Coursen. “Just as it was with Microsoft, Oracle is going through a learning process. With a few more iterations of quarterly updates, and with good communication between their developers and their customer base, we should see an update process more and more refined.”

Julian at Application Security Inc. in New York agreed. “People are discovering more vulnerabilities and forcing Oracle to do a more thorough and regular job to patch these vulnerabilities,” he said. “Its a cumbersome process, but at the same time, the stakes couldnt be higher.”

The security firms also believe the move to scheduled patch day is a blessing for enterprise security teams.

“Its clear to us that enterprises are pleased with the schedule,” said Julian. “It makes it feasible for them to create a process for deploying their security. Without it, its almost an untenable situation.”

The next round of patches is scheduled for July 12, followed by a Q4 release on October 18.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.