Oracle Plugs 41 Security Flaws

The vulnerability count for Oracle software is on the rise with the latest April Critical Patch Update (CPU) fixing a total of 41 vulnerabilities.

The list of fixes tops Oracle’s last quarterly patch of 26 fixes issued in January.

The new security patch does, however, add in updates for Oracle’s Siebel product line, which had not been in previous CPU’s.

In Oracle’s April 2007 update, Oracle patched 36 issues across the Oracle product lineup.

Oracle’s namesake database leads the vulnerability count this time with a total of 17 new fixes.

“It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer,” Slavik Markovich, CTO of Sentrigo commented. “What’s really interesting is that two of the vulnerabilities can be remotely exploited without authentication which basically means that your database is a sitting duck unless you deploy this patch. The last we saw of those was, I believe, 2 CPUs ago.”

The rest of Oracle’s April CPU patch haul is spread unevenly across Oracle products. Oracle E-Business Suite gets 11 new security fixes, 7 of which may be remotely exploited without authentication. Oracle Application Server receives 3 security fixes all of which are remotely exploitable without authentication. The PeopleSoft-JD Edwards Suite is being patched for 3 new security issues. Oracle Enterprise Manager rounds out the list of the usual Oracle products in a CPU with 1 new security fix.

The April CPU marks the debut of new entry into the product lineup that gets fixed in the CPU cycle — Oracle’s Siebel CRM Applications. The April CPU provides 6 fixes for the Oracle Siebel Enterprise Suite, 3 of the vulnerabilities could have been remotely exploited without authentication.

Eric Maurice, manager for security in Oracle’s global technology business unit noted in a blog post that the CPU fixes for Siebel CRM Applications will be cumulative for the product line in which they apply.

“This will allow customers who have previously skipped security patches to quickly catch up by applying the most current CPU,” Maurice wrote.

He added that under the previous Siebel model security fixes were often included with non-security fixes in what were called “Fix Packs.” Maurice argued that by being included in the CPU, Siebel Enterprise product users will now have better visibility into security issues.

Getting Siebel into the CPU mix has taken some time, after all, Oracle acquired Siebel in 2005.

“Most acquisitions will synchronize the release of their security patches with the quarterly CPU process and become part of the CPU process, in the way that PeopleSoft, JD Edwards, and now Siebel have,” an Oracle spokesperson told “The speed at which this will occur depends on how closely each organization’s current patching policy aligns with the CPU process, and the work required to adopt a quarterly cycle.”

News Around the Web