Oracle Plans 73 Bug Fixes in Quarterly Critical Patch Update

Oracle will release patches addressing 73 vulnerabilities across its product portfolio, including six for its databases next week as part of its quarterly CPU.

Oracle is delivering patches for almost every product in its portfolio in its quarterly update next week. April's update package is much larger than the January update where 66 issues were fixed, but this time Oracle seems to be focusing less on its core database business.

Oracle plans to fix 73 security vulnerabilities, including six issues in its flagship database software in the next Critical Patch Update, the company said in its CPU pre-release announcement on April 14. Of the fixed issues, Oracle classified 36 vulnerabilities as critical, or issues that may be exploited remotely without requiring a username or password.

April's CPU will contain updates to Oracle Database Server11g and 10g, Oracle Fusion middleware, Oracle Enterprise Manager Grid Control, Oracle Siebel CRM, and Oracle Industry Applications. All the suites, E-Business, Supply Chain Products, PeopleSoft and JD Edwards, will be updated. There will also be security fixes addressing security flaws in Open Office 3, Star Office/Star Suite 7 and 8, and the Oracle Sun product suite, including Solaris and some Java server software, according the Oracle's pre-release announcement.

Just like the last CPU in January, there will be six database fixes, of which two are considered critical. Similar to the January update, the vulnerabilities fixed are in components not commonly implemented in many environments, such as database vault and UIX.

The small number of database fixes despite the overall large size of the CPU raised some flags. "As Oracle continues to get further and further away from being a database-only vendor, their attention and dedication to fixing vulnerabilities on the database platform continues to move in a downward trend," Alex Rothacker, director of security research for TeamSHATTER, the research arm of Application Security, told eWEEK.

TeamSHATTER currently has ten open reported database vulnerabilities with Oracle, most of which are classified as a "pretty high risk level," Rothacker said. There are other researchers who regularly submit their vulnerability findings, so it was likely that were other "potentially critical vulnerabilities" from other researchers that Oracle is not dealing with, Rothacker said.

There will be nine fixes for Oracle Fusion middleware, of which six are critical. The middleware patches will include fixes to WebLogic and JRockit. Of the 18 vulnerabilities fixed in the Oracle Sun products suite, seven will be critical. The affected Oracle Sun products including Java Dynamic Management Kit, Open SSO Enterprise, Sun Java System Access Manager, Solaris, Sun GlassFish Enterprise Server, Sun Java System Application Server, Sun Java System Access Manager Policy Agent and Sun Java System Messaging Server. There are also security holes that affected Oracle iPlanet Web Server, formerly Sun Java System Web Server.

Oracle assigns a standard CVSS base score to each bug fix to determine severity. The Common Vulnerability Score System considers the impact of a successful attack in terms of confidentiality, integrity and availability as well as the preconditions required to exploit the security flaw. The bugs affecting JRockit in Oracle Fusion and the Sun GlassFish Enterprise Server and Sun Java System Application Server included in the Oracle Sun Products suite all have a CVSS score of 10, making them most critical.

There are 14 new security fixes for the PeopleSoft suite, of which one is critical. Of the eight new patches for JD Edwards, 7 are flagged as critical and all three Siebel CRM patches are critical. Eight issues will be addressed in Oracle Open Office Suite, of which seven are critical.

There are four new fixes in the e-business suite, one in supply chain products suite, and one in industry applications, but none of them are critical.

Java SE and Java for Business client software is not expected to be updated in this CPU. Oracle still has a separate update cycle for most client-side Java products, even though it appears that there will be some Java updates as part of the CPU scheduled for Oct. 18. The next scheduled Java update is June 7, and the next Oracle CPU is a month later, on July 19.

This quarter's CPU is expected on April 19.