Oracle Patches 45 Vulnerabilities


Oracle (NASDAQ: ORCL) is out with its latest critical patch update (CPU), this time providing fixes for 45 security vulnerabilities spanning the Oracle product portfolio.

The July update marks the first since Oracle acquired BEA. Security updates for BEA products are included in the CPU as well.

At 45 reported vulnerabilities, the July tally is up marginally from the 41 reported in April.

“The three most notable elements of this CPU are Oracle’s decision to use CVE codes for vulnerability naming and that nine out 10 Database vulnerabilities apply not only to older versions of Oracle database server but also to the newest version Oracle 11G,” Amichai Shulman, CTO of database security firm Imperva told”And finally two of the database vulnerabilities are in the Oracle authentication mechanism,” he added.

Common Vulnerabilities and Exposure, or CVE, is a standard approach to providing a common identifier for vulnerabilities. The CVE system is widely used by several technology vendors such as Microsoft (NASDAQ: MSFT) and Mozilla to identify security items.

“Starting with the July 2008 Critical Patch Update, Oracle will use these CVE identifiers to identify the vulnerabilities fixed in each new CPU, and will no longer use the proprietary numbering convention previously used in the CPU risk matrices, ” Eric Maurice, manager for security in Oracle’s global technology business unit, noted in a blog post. “As a result, each new vulnerability fixed in the CPU will be assigned a unique CVE Identifier,” Maurice said. “This change was made possible because Oracle became a “Candidate Naming Authority” under the CVE program.”

The Candidate Naming Authority means that Oracle can assign itself a CVE number to identify a vulnerability as opposed to waiting for a third-party organization.

In terms of the 45 fixes in July CPU, 11 of them are security fixes for Oracle’s namesake database. Of the 11, none of them can be remotely exploited over a network without a username and password. Flaws that can be remotely exploited without authentication pose the greatest risk to users. Oracle’s April CPU included two flaws for Oracle database that could be remotely executed without authentication.

Oracle Application Server Suite gets patched for nine new security fixes, all of which can be remotely exploited without authentication. At least one of the issues with Oracle Application server was reported to Oracle as far back as October 2008 according to a security advisory from security researcher David Litchfield.

“I hope that other researchers will follow Litchfield’s example and release details on vulnerabilities fixed in this Oracle patch,” Imperva’s Shulman said.

“Imperva was not aware of Litchfield’s discovery, since it was kept confidential by the researcher until it was announced,” Shulman said. “In an ideal world we would expect a vulnerability like this one to be patched sooner, but in the real world where Oracle must patch a complex software system compatible with multiple platforms it takes that long to issue a stable and reliable patch.”

Rounding out the CPU patches are Oracle E-Business Suite and Applications, which receives six new security fixes, Oracle Enterprise Manager gets two and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne get patched for seven issues.

For the newcomer on the block, BEA, this critical patch update has seven new security fixes for the BEA Product Suite, four of which may be remotely exploitable.

The addition of BEA to the CPU cycle at this point is relatively rapid for Oracle. After all, Oracle only acquired BEA this year.

In contrast, Siebel, which was acquired by Oracle in 2005, did not get added to the Oracle CPU cycle until April 2008.

“The inclusion of BEA in the CPU was particularly rapid because of the similarities that existed between the current CPU process at Oracle and the patching procedures previously in use at BEA,” Oracle’s Maurice blogged.

News Around the Web