RealTime IT News

At 51 Fixes, Oracle Cuts Security Holes

Oracle is out with its first Critical Patch Update of 2007 and it addresses 51 different security vulnerabilities. The number may seem high, but it's actually less than past fixes, thanks in part to Oracle's new reporting methods.

The 51 vulnerabilities affect Oracle Database Server, Oracle Applications Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise Applications.

Oracle's last CPU came out in October of 2006 and addressed 101 new flaws. At the time, the database giant also introduced a new reporting transparency for its updates that identify when a vulnerability is actually remotely exploitable. As a result, Oracle is using Common Vulnerability Scoring System (CVSS) scores in its CPU now.

"Our use of CVSS has generated a lot of support from customers and genuine interest from the industry," Eric Maurice, manager of security in Oracle's global technology business unit, wrote on Oracle's security blog.

The CVSS scores in the January CPU also reveal that Oracle is reporting 51 vulnerabilities in total, but that seven of them have a CVSS "Base Metric" score of zero.

"This is because this type of vulnerability represents problems that we believe are not exploitable in a default database environment (as provided by Oracle 'out of the box')," Maurice explained. "Code that runs affected programs as a privileged user (e.g. custom code developed by customers, which passes input from an untrusted source) may be exploitable. In particular, it may allow malicious code to be run with administrative privileges."

Though the numbers aren't terrible, there are still some very serious flaws that the January update addresses. It includes some 26 patches for Oracle's database applications, 10 of which could potentially be remotely exploitable without even a username or password. Oracle's Application Server software isn't out of the woods with eight critical vulnerabilities that can also be exploited remotely without usernames or passwords.

Ron Ben-Natan, CTO of Guardium, a Waltham, Mass., database security and compliance company, noted that the database risk matrix in the latest Oracle CPU shows significant improvement as compared with previous CPUs.

"There are fewer issues in the core relational database management system, the issues are less critical, and fewer issues can be exploited remotely without authenticating to the database," he said. "This improvement is undoubtedly a result of the significant focus Oracle has been placing on security, and the company's push to become a strong player in enterprise security."