Oracle users, it’s that time, again! The company has released its final Critical Patch Update (CPU) for 2008, with fixes for 36 vulnerabilities across the company’s product portfolio.
The bulk of the fixes this time come for the Oracle Database Server — though the most severe flaw resides in the Oracle WebLogic Server (formerly BEA WebLogic).
The CPU is a quarterly event for Oracle (NASDAQ: ORCL) users, with the since October 2006.
Oracle’s Application Server Suite gets six security fixes, two of which may be remotely exploitable without authentication. At the same time, Oracle E-Business Suite and Applications is being patched for four security issues, two of which are labeled as being remotely exploitable without authentication. The PeopleSoft and JDEdwards Suite receives five fixes in this update, with only two being remotely exploitable without authentication.
The BEA Product suite, which only first appeared on the Oracle CPU in July, sees six security fixes in the latest update, five of which are remotely exploitable without authentication.
Oracle also provide Common Vulnerability Scoring System (CVSS) scores for its vulnerabilities, which is intended to provide system administrators with a risk metric for determining severity. Of the 36 updates in the October CPU, only one vulnerability — for an Apache plugin in the Oracle WebLogic Server — received the highest CVSS score of 10.
Eric Maurice, manager for security in Oracle’s global technology business unit, noted in a blog post that the WebLogic issue is new, and not the same problem fixed by a previous security alert dealing with a similar issue.
“Vulnerability CVE-2008-4008 is a new vulnerability, which was reported to Oracle shortly before the creation of this CPU,” Maurice wrote. “A fix for this vulnerability was therefore included in this CPU in order to provide a prompt resolution and to help ensure that the security posture of WebLogic customers is maintained.”
The issue of whether a particular vulnerability is actually new troubles some security researchers.
“While small, this patch demonstrates … the most frustrating issues about securing Oracle database servers,” Amichai Shulman, CTO of database security firm Imperva told InternetNews.com. “Some of the vulnerabilities fixed by this patch appear in Oracle packages that have already been fixed at least once in the past three years.”
Shulman alleged that Oracle usually only fixes flaws in one component of a product, but other areas of that component may also be vulnerable to this same flaw. As a result, if the vulnerability is later identified in another part of the same component, a fix for the same flaw and the same product must be issued again.
Shulman has another bone to pick with Oracle. He said that Imperva reported a pair of vulnerabilities to Oracle that were apparently fixed in the latest CPU. The only problem is that Shulman can’t seem to tell where the fixes are.
“Information supplied by Oracle about the nature of vulnerabilities and potential workarounds is so scarce that it makes it difficult for researchers like Imperva to identify within a single patch the vulnerabilities that we have reported,” Shulman said. “Although Oracle had notified us that two vulnerabilities we reported were being fixed in yesterday’s CPU, based on the information supplied in the risk matrix, we are unable with 100 percent certainty to determine which ones they are.”
An Oracle spokesperson was not immediately available for comment.