RealTime IT News

Oracle Patches 41 flaws in First 2009 Update

Oracle is out with its first critical patch update (CPU) for 2009 fixing no less than 41 flaws in Oracle products with nearly half of them specific to Oracle's database product suite.

All told Oracle's database products receive 20 security fixes spread across three sub-product lines. Oracle's namesake database gets ten fixes in the January CPU, none of which are remotely exploitable without authentication. Oracle's Secure Backup is being patched for 9 issues and the Oracle TimesTen Data Server is being patched for one issue. All of the issues for the secure backup and TimesTen products are remotely exploitable without authentication.

Since October of 2006 Oracle has been using a system called CVSS (Common Vulnerability Scoring System) to provide a score for the relative impact of a particular vulnerability. With the January 2009 CPU, Oracle is reporting five vulnerabilities with a score of 10, which is the highest possible score indicating the most severe type of issue. Four of the CVSS score 10 items were found in Oracle's Secure Backup and one was found in Oracle's BEA WebLogic Server Plugins for Apache, Sun and IIS web servers.

"This is the highest number of 10s we've seen since Oracle began using the CVSS rating system," Amichai Shulman, CTO of database security vendor Imperva told InternetNews.com.

In addition to the 20 flaws in Oracle's database products, Oracle Application Server is being patched for four issues only two of which are remotely exploitable without authentication. Oracle Collaboration Suite gets one fix while the Oracle Applications Suite receives four fixes. The PeopleSoft and JDEdwards Suites get 6 fixes and Oracle Enterprise Manager gets tagged with one fix.

Rounding out the January CPU are five security fixes for Oracle's BEA products all of which are remotely exploitable without authentication. Oracle first began adding BEA products to the CPU in July of 2008, seven months after Oracle acquired the company.

Taking a hard look at WebLogic

Eric Maurice, manager for security in Oracle's global technology business unit, noted in a blog post that since the initial discovery of some BEA WebLogic flaws in 2008 there has been a lot of attention on reviewing WebLogic. That attention includes an Oracle White Hat ethical hacker team that has been examining the product.

"In many ways, the remediation of severe vulnerabilities in the context of today’s Critical Patch Update with Oracle Secure Backup and the Oracle Weblogic Server plugins highlight the effectiveness of an ongoing Security Assurance effort, which involves the entire development organization, as well as internal security teams, and trusted Security Researchers," Maurice blogged. "

Maurice added that in his view mature Oracle products are now experiencing less critical vulnerabilities. It's a claim that Imperva's Shulman partially agrees with, though he has some concerns.

"Oracle is certainly doing a better job of finding and fixing vulnerabilities, but they need to improve their process for helping customers cope with the vulnerabilities," Shulman alleged. "This and previous updates do not provide the details about the critical vulnerabilities that customers need to assess the risk to their environment or apply workarounds."

Shulman added that vendors and security solution providers also lack the information they need to respond in a timely fashion with work arounds that would allow customers to remain protected until the patch is deployed.

Oracle CPUs come out on a quarterly basis, the next update is scheduled for April 14th.