RealTime IT News

Oracle Issues 10th Quarterly Patch

US-CERT has issued a Technical Cyber Security Alert on its National Cyber Alert system for the latest round of Oracle security fixes.

Oracle has patched 36 security bugs across various products. This is one of the lowest bug counts the company has reported in its quarterly Critical Patch Update (CPU) cycle, the 10th since the company began the CPU process.

Not all the bugs that Oracle is fixing in this update are new, however. Among the bugs it addresses is one that dates back to 2003, according to security firm Red Database Security.

Oracle's database products get the lion's share of fixes with 14 in total. Oracle E-Business suite is close behind with 11 new security fixes, two of which the company said can be remotely exploited over a network without the need for a username and password.

Five security fixes are in the mix for Oracle Application Server, with one being specific to the Oracle Collaboration Suite. Enterprise Manager gets one fix that may be remotely exploitable without authentication.

There are also single fixes for J.D. Edwards' EnterpriseOne and OneWorld Tools, as well as PeopleSoft Enterprise Human Capital Management.

The number of flaws Oracle has reported has decreased regularly of late. January's CPU reported 51 flaws, which was nearly half the 101 flaws that Oracle reported in October.

The company first began detailing which flaws were remotely exploitable without authentication in the October CPU in which 56 such flaws were identified.

The 36 flaws in this update match the number that Oracle reported in its April 2006 CPU one year ago.

Eric Maurice, manager for security in Oracle's global technology business unit, praised the CPU process as something that is working out well for customers.

"The predictability provided by the Critical Patch Update mechanism is very important to Oracle customers," Maurice wrote on the Oracle Global Product Security blog. "It results in enabling customers to plan for the Critical Patch Updates and install them in their normal maintenance windows to avoid undue interruptions in their business-critical systems."

Though Oracle's CPU process may well be making security updates easier for customers, that is not to say the process isn't easy for Oracle.

"Even as we reach our tenth Critical Patch Update milestone, the effort required to produce and test the patches for all products and platforms combinations in time for our quarterly release dates remains significant," Maurice continued on the blog.

As such, for its next CPU, scheduled for July, Oracle will be only update on request what it considers to be historically inactive combinations of its Oracle Server and Middleware Products. Maurice does not expect the change to affect the majority of customers.

Oracle first announced the quarterly Critical Patch Update model in November 2004 and issued its first quarterly CPU in January 2005.

The move to the quarterly update cycle followed a period in which Oracle was updating on a monthly basis, a process that frustrated many customers.