Oracle has released patches for 82 vulnerabilities in its database and application server software, and collaboration and e-business suites.
The patches, which are part of Oracle’s scheduled quarterly updates, also include fixes for flaws in its PeopleSoft and JD Edwards products.
Many of the flaws are said to have a “wide” impact on database availability, integrity and confidentiality. One vulnerability in Oracle’s databases enables any user with basic access privileges to assume the role of a database administrator. The flaw, which was first reported in October, also allows would-be attackers to prevent illegal activity from being recorded by the database server’s built-in auditing mechanism.
Oracle moved recently to a quarterly patching schedule but security specialists have criticised the company for leaving vulnerabilities unaddressed, saying the quarterly schedule may not be in users’ best interests. They have also complained that Oracle has released few details of the flaws addressed by the update.
It will pain Oracle to hear it, but some security specialists even believe that when it comes to addressing security vulnerabilities, Oracle and other suppliers could learn something in openness from Microsoft, as well as processes for vulnerability discovery, remediation and disclosure.