Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Applications
    • Applications
    • Cybersecurity
    • Networking
    • Storage

    Oracle Fixed 57 Bugs in October’s Critical Patch Update

    Written by

    Fahmida Y. Rashid
    Published October 18, 2011
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Oracle released 23 security patches that addressed 57 vulnerabilities, of which 21 have been classified as “critical,” as part of its Critical Patch Update on Oct. 18. The various vulnerabilities affected hundreds of Oracle products, according to the company.

      Oracle calculates a risk score based on the Common Vulnerability Scoring System to assess the severity of vulnerability. The company also has a different risk rating to indicate the likelihood of a complete takeover. Researchers said Oracle was downplaying the severity of some of the patches.

      “As usual, Oracle’s use of [a] CVSS scoring system takes the scoring of most vulnerabilities down,” Imperva CTO Amichai Shulman wrote on the company blog.

      October’s CPU contained updates to Oracle Database Server11g and 10g, Oracle Fusion middleware including Application Server, Business Intelligence Enterprise Edition, Identity Management and WebLogic, the E-Business Suite, Supply Chain, PeopleSoft, Siebel CRM, Health Sciences Application and the Sun Product Suite. The company also fixed issues in Oracle Linux 5 and Oracle Sun Ray, part of the company’s virtualization product suite.

      Oracle addressed five vulnerabilities in the database, none of which were considered critical. This would be the lowest number of vulnerabilities patched since the CPU process started in 2005, according to Alex Rothacker, director of security research for Application Security’s TeamSHATTER. Noting the research team has identified several vulnerabilities that have not yet been patched by Oracle, Rothacker said the low number of database patches showed Oracle was losing focus on database security improvements, “probably due to many new product offerings and acquisitions.”

      None of the patches apply to client-only installations. These patches are necessary only for environments where Oracle Database Server is installed, Oracle said in its advisory.

      The highest vulnerability rating among database patches had a CVSS score of 6.5 out of 10, Shulman said, noting that it should “probably be higher” because the effects of CVE-2011-3525 is “practically a full takeover of the database server,” and it’s easy to exploit.

      Rothacker was very concerned about a vulnerability in Database Vault that allowed users to bypass security protections provided by the tool (CVE-2011-3511). Database Vault is a security product that is supposed to make Oracle products more secure, but it continues to be “riddled” with vulnerabilities each quarter, he said. “I remain suspicious of Oracle’s commitment to secure software,” Rothacker said.

      Oracle also patched 22 serious vulnerabilities in the Oracle Sun Products Suite, which includes the former Sun Microsystems’ Solaris operating system and SPARC servers. Affected software includes Oracle Communications Unified, Oracle GlassFish Server, Oracle OpenSSO, Oracle WaveSet, Solaris and Sparc T3, Netra SPARC T3, Sun Fire and Sun Blade servers. Nine of the vulnerabilities are critical.

      A TCP/IP issued in the Solaris LDAP library (CVE-2011-3508) had the highest base core in the entire release, with a 9.3 rating.

      Oracle fixed 10 security holes in Oracle Fusion Middleware, five of which may be remotely exploitable without authentication. Oracle Fusion Middleware products include some of the Oracle Database components that had to be patched in this release. Oracle recommended that administrators apply the database patches before fixing issues with Oracle Fusion Middleware products.

      Oracle e-Business Suite had five flaws, of which three were critical. Similarly to Fusion middleware, Oracle E-Business Suite products include components from Oracle Database and Oracle Fusion Middleware that was patched in this month’s CPU. Oracle recommended that administrators apply the patch to the database and middleware components within the eBusiness suite.

      Oracle fixed a security flaw in Supply Chain products and seven in Oracle PeopleSoft Products. None were rated critical. Three security holes were fixed in Oracle Siebel CRM (with one critical vulnerability), and both Oracle Industry Applications flaws were rated critical.

      Finally, the critical patch update included patches to fix a flaw in Oracle Linux 5, which was not rated as critical, and one in Oracle Virtualization, which was critical.

      Oracle released the patch updates for Java in a separate release. The Java SE release included patches addressing 20 vulnerabilities, 19 of which could be exploited remotely by an unauthenticated attacker. At least one of the vulnerabilities had the highest CVSS score, 10.

      Fahmida Y. Rashid
      Fahmida Y. Rashid

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.