Oracle released its July Critical Patch Update (CPU) on July 15, providing 113 security fixes impacting multiple applications within its product portfolio. While the security update is new, a pair of vulnerabilities that Oracle is fixing in its newer Oracle 12 database were fixed a year ago in the older Oracle 11 database.
Oracle Database received a total of five fixes in the July CPU, including CVE-2013-3751 and CVE-2013-3774, two vulnerabilities that are now being patched for the Oracle 12 database. Those two vulnerabilities were patched in July 2013 for the Oracle 11 database, while the Oracle 12 database was left unpatched.
“Patching a critical vulnerability in one product and leaving it unpatched in another for more than a year is certainly questionable,” Ross Barrett, senior manager of security engineering at Rapid7, told eWEEK. “It’s possible that there are mitigating factors, such as no reports of exploitation, that allowed them to feel like they could take their time. But if so, that has not been disclosed to the security community at large.”
Amichai Shulman, CTO of Imperva, told eWEEK that, in his view, there are some interesting questions that need to be asked about the two vulnerabilities that were previously fixed for Oracle Database 11 and are now fixed for Oracle 12. One question is whether or not Oracle was aware of these vulnerabilities when the product was shipped out, and if so, should the vendor make customers aware of them?
“Usually vendors do not announce the existence of a vulnerability until they produce a patch,” Shulman said. “However in this case, the vulnerability was announced, but for allegedly a different version of the product.”
Shulman added that, in his opinion, concealing the details of a vulnerability once it becomes public is a bad practice. Attackers were probably able to reconstruct the vulnerability details by comparing the patched and unpatched versions of Oracle 11, he noted. They could then generate exploit code and easily test it against an Oracle 12.x deployment to find out that it is vulnerable as well.
“At the same time, customers had no idea that their Oracle 12 deployments were in fact vulnerable,” Shulman said.
Oracle’s namesake database isn’t the only database technology in the company’s product portfolio. Oracle also has the open-source MySQL database, which is also getting patched this month for 10 security vulnerabilities.
In addition, Oracle Fusion Middleware is being updated with 29 new security fixes, and the Oracle E-Business Suite is receiving five new security fixes in the July CPU. Oracle virtualization technologies including Virtual Box and Oracle Secure Global Desktop (SGD) are being updated with 15 new security fixes.
The other big ticket item in Oracle security updates is always Java. For the July CPU, Oracle is providing fixes for 20 security vulnerabilities in Java, which is a lighter load than usual. Rapid7’s Barrett noted that, in contrast, the April 2014 CPU had 37 and the January 2014 CPU had 36 fixes for Java vulnerabilities. Back in February 2013, Oracle patched Java for 50 security vulnerabilities.
“In some sense the count doesn’t matter, since it’s not really feasible to patch for one out of whatever number are released; you either have that patch with all of them or you don’t,” Barrett said. “The decrease might just be a fluctuation, or it might reflect a gradual lessening in the attention and exposure being associated with Java vulnerabilities.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.