Oracle is planning a giant Critical Patch Update for January, fixing 79 vulnerabilities in 20 major areas affecting hundreds of products, including the flagship Oracle database software and MySQL.
The patches will address security flaws in Oracle Database Server, Fusion Middleware, E-Business, Supply Chain, PeopleSoft, JD Edwards, Sun, Virtualization and MySQL product suites, Oracle said in the Critical Patch Update pre-release announcement released Jan. 12. Oracle’s scheduled quarterly update is due for release on Jan. 17.
The most serious of these vulnerabilities may be remotely exploitable without authentication, according to Oracle. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” Oracle said, noting that several of the vulnerabilities affected multiple products.
Oracle uses standard Common Vulnerability Scoring System (CVSS) 2.0 to rank the severity of its vulnerabilities. The highest-scoring vulnerability under this system was a security issue in Solaris, with a CVSS score of 7.8, according to the advisory.
Oracle is planning only two security fixes for Oracle Database Server, according to the database announcement. One of them could potentially be exploited by an attacker over the network without a username or password. The fixes don’t apply to client-only deployments where there is no Oracle Database Server installed, Oracle said.
The low number of database patches in this CPU continues the trend in which Oracle seems to be losing its focus on database security fixes as it becomes more than just a database company, Alex Rothacker, director of security research for Application Security’s TeamSHATTER, told eWEEK. The research team has reported several Oracle database vulnerabilities to the company and many have yet to be fixed, he said, adding that “Most of them are not too hard to fix.”
“This is the lowest number (two) of fixes that Oracle has issued for the Database since they started the CPU program in 2005,” Rothacker said.
Oracle released only 34 fixes for Oracle Database Server in all of 2011, with five in October, 16 in July, six in April and seven in January.
Back in April, Rothacker noted that TeamShatter was not the only group of researchers reporting database bugs to Oracle. “Who knows how many other potentially critical vulnerabilities have been reported by others that are not being dealt with?” Rothacker asked.
Many of the fixes are in the products Oracle gained as part of its 2010 buyout of Sun Microsystems. The CPU contains 27 fixes for Oracle MySQL Server and one of the vulnerabilities could be exploited remotely. Another 17 fixes will be in the Oracle Sun Products Suite, of which six may be remotely exploitable without authentication, according to the pre-release announcement. The vulnerabilities affected GlassFish Enterprise Server, Oracle Communications Unified, Oracle OpenSSO and Solaris. Oracle patches Java separately and does not include those fixes in the CPU process.
It’s possible that Oracle addressed the denial-of-service vulnerability in popular Web application frameworks, which was disclosed at the Chaos Communication Congress in Germany in December in this CPU. While most reports focused on the vulnerability in Microsoft’s ASP.NET framework, the researchers had said the issue was in several other products, including Oracle’s GlassFish. Oracle did not release any details in the pre-announcement, but had told researchers that a GlassFish update would be in a “future CPU.”
The fact that Oracle is releasing 27 fixes in MySQL does not mean Oracle is still focused on databases, according to Rothacker. As an open-source product, MySQL is largely developed and fixed by the developer community, and “it should not go overlooked who actually put forth the effort to create these fixes and the lack of emphasis that Oracle has been placing on the Oracle Database product line,” Rothacker said.
There was a slight delay in posting the pre-announcement, and at one point, Oracle had a placeholder page on its site claiming the CPU would be postponed for two days. “This is a place holder for the Critical Patch Update Pre-Release Announcement – Jan 2012, to be released on Jan 14th, and the Critical Patch Update – Jan 2012 to be released on Jan 19th, 2012,” the announcement said.
The two-delay spurred speculation among watchers that Oracle may have found a bug in one of the patches at the last minute and had thought it could be fixed within the two-day window. It was possible that the team decided to remove the patch altogether and stick with the schedule.
Whatever it was, Oracle is not talking. “The CPU is not being delayed,” an Oracle spokesperson told eWEEK.