At 51 Fixes, Oracle Cuts Security Holes

Oracle is out with its first Critical Patch Update of 2007 and it addresses 51
different security vulnerabilities. The number may seem high, but it’s actually less than past fixes, thanks in part to Oracle’s new reporting methods.

The 51 vulnerabilities affect Oracle Database Server, Oracle Applications
Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle
Enterprise Manager, and Oracle PeopleSoft Enterprise Applications.

Oracle’s
last CPU came out in October of 2006 and addressed 101 new flaws. At the time, the database giant also introduced a new reporting transparency
for its updates that identify when a vulnerability is actually remotely
exploitable. As a result, Oracle is using Common
Vulnerability Scoring System (CVSS) scores in its CPU now.

“Our use of CVSS has generated a lot of support from customers and genuine
interest from the industry,” Eric Maurice, manager of security in Oracle’s
global technology business unit, wrote on Oracle’s security
blog.

The CVSS scores in the January CPU also reveal that Oracle is
reporting 51 vulnerabilities in total, but that seven of them have a CVSS “Base
Metric” score of zero.

“This is because this type of vulnerability represents problems that we
believe are not exploitable in a default database environment (as provided
by Oracle ‘out of the box’),” Maurice explained. “Code that runs affected
programs as a privileged user (e.g. custom code developed by customers,
which passes input from an untrusted source) may be exploitable. In
particular, it may allow malicious code to be run with administrative
privileges.”

Though the numbers aren’t terrible, there are still some very serious flaws
that the January update addresses. It includes some 26 patches for Oracle’s
database applications, 10 of which could potentially be remotely exploitable
without even a username or password. Oracle’s Application Server software
isn’t out of the woods with eight critical vulnerabilities that can also be
exploited remotely without usernames or passwords.

Ron Ben-Natan, CTO of Guardium, a Waltham, Mass.,
database security and compliance company, noted that the database risk matrix
in the latest Oracle CPU shows significant improvement as compared with
previous CPUs.

“There are fewer issues in the core relational database management system,
the issues are less critical, and fewer issues can be exploited remotely
without authenticating to the database,” he said. “This improvement
is undoubtedly a result of the significant focus Oracle has been placing on
security, and the company’s push to become a strong player in enterprise
security.”