Oracle Corp. fixed 65 security holes Tuesday in its latest
quarterly Critical Patch Update (CPU). The flaws affect a
variety of products, including the vendor's database and
application server software.
According to Symantec's DeepSight Threat Management Service,
attackers can exploit some of the vulnerabilities to completely
compromise a vulnerable server; and others to partially affect the
availability, confidentiality or integrity of the computer. Both
remote and local attacks are possible, Symantec said.
The latest pile of vulnerabilities is larger than the
36 flaws addressed in Oracle's April CPU, but fewer than the
82 flaws fixed in January.
Some security experts criticized the Redwood Shores,
Calif.-based database giant for
delaying patches for certain platforms in the April CPU. Darius
Wiles, Oracle's senior manager of security alerts, acknowledged
Tuesday that some patches were being held back this time as
well.
"About 10 patches won't be available today because of quality
issues," Wiles said. "Most of those will be out in the next few
days, though some might take a bit longer." Oracle was unable to
provide specifics on the nature of those patches.
However, ten isn't a lot, Wiles added, when one considers that
the July CPU includes a total of 250 patches -- one patch for each
specific product version and platform that's affected by the 65
flaws. He added, "We want to get all patches out by noon PT" the
day of a CPU release, "but if we run across any problems, we will
hold some back."
Of the 65 flaws addressed in the July CPU:
- Four apply to Oracle's database clients and 23 apply to its
server software. Customers should be particularly cognizant of the
four client-side issues, Wiles said, because they tend to be
tougher to patch than issues on the server side. Generally
speaking, customers should be most concerned about flaws that can
be exploited remotely without requiring any credentials, he added.
There are 10 such flaws addressed in the database this time
around.
- Ten affect the Application Server product line and nine of
those are of the most critical nature.
- One affects the Collaboration Suite product line and is among
the more minor issues addressed.
- Twenty affect the E-Business Suite and five of them are of the
most critical nature.
- Four affect Enterprise Manager and two of them are of the most
critical nature.
Two affect PeopleSoft and one affects JD Edwards. The JD Edwards
flaw is of the most critical nature.
Wiles also noted a formatting change made to this month's patch
bulletin in response to customer feedback. Instead of separate
MetaLink documents for the Database, Enterprise Manager,
Applications Server and Collaboration Suite, information on the
four product lines has been boiled down into one document. That
way, he said, customers don't have to read as much text to find
what they're looking for.
Oracle has been criticized in the past for providing
security bulletins that are very hard to digest. The database
giant has also taken heat in the past for sitting on older flaws,
not always fixing vulnerabilities as advertised in the CPUs and not
including enough information on the specific flaws.
In a recent interview, Wiles and John Heimann, Oracle's director
of security program management,
admitted that a vast array of platforms and mountains of source
code can make for some patching mistakes, but they don't
necessarily agree with some of the flaw findings independent
researchers release to the public.