US-CERT has issued a Technical Cyber Security Alert on its National Cyber
Alert system for the latest round of Oracle security fixes.
Oracle has
patched 36 security bugs across various products. This is one of the
lowest bug counts the company has reported in its quarterly
Critical Patch Update (CPU) cycle, the 10th since the company began the
CPU process.
Not all the bugs that Oracle is fixing in this update are new, however. Among the bugs it addresses is one that dates back to 2003, according to security firm Red Database Security.
Oracle’s database products get the lion’s share of fixes with 14 in total.
Oracle E-Business suite is close behind with 11 new security fixes, two of
which the company said can be remotely exploited over a network without the need
for a username and password.
Five security fixes are in the mix for Oracle Application Server, with one being specific to the Oracle Collaboration Suite. Enterprise Manager gets one fix
that may be remotely exploitable without authentication.
There are also single fixes for J.D. Edwards’ EnterpriseOne and
OneWorld Tools, as well as PeopleSoft Enterprise Human Capital Management.
The number of flaws Oracle has reported has decreased regularly of late. January’s CPU reported 51 flaws, which was nearly half the 101 flaws that Oracle reported in October.
The company first began detailing which flaws were remotely exploitable without authentication in the October
CPU in which 56 such flaws were identified.
The 36 flaws in this update match the number that Oracle reported in its April 2006 CPU one year ago.
Eric Maurice, manager for security in Oracle’s global technology business
unit, praised the CPU process as something that is working out well for
customers.
“The predictability provided by the Critical Patch Update mechanism is very
important to Oracle customers,” Maurice wrote on the Oracle Global Product
Security blog. “It results in enabling customers to plan for the Critical
Patch Updates and install them in their normal maintenance windows to avoid
undue interruptions in their business-critical systems.”
Though Oracle’s CPU process may well be making security updates easier for
customers, that is not to say the process isn’t easy for Oracle.
“Even as we reach our tenth Critical Patch Update milestone, the effort
required to produce and test the patches for all products and platforms
combinations in time for our quarterly release dates remains significant,”
Maurice continued on the blog.
As such, for its next CPU, scheduled for July, Oracle will be
only update on request what it considers to be historically inactive combinations of its Oracle Server and Middleware Products. Maurice does not expect the change to affect the majority of customers.
Oracle first announced the quarterly Critical Patch Update model in November 2004
and issued its first quarterly CPU in January 2005.
The move to the
quarterly update cycle followed a period in which Oracle was updating on a monthly basis, a process that frustrated many customers.