today issued its third critical patch update for 2007, fixing 45
security issues across its Database, Application Server, Collaboration
Suite, E-Business Suite, PeopleSoft and JD Edwards product lines.
With 17 patches, Oracle Database products top the fix list for security concerns, two of which are remotely exploitable without user authentication.
Oracle E-Business Suite received 14 patches, six of which are remotely exploitable. Collaboration Suite received five security fixes, with four remotely exploitable. Oracle Application Server needed four patches, three of which are remotely
exploitable without user authentication. Oracle Application Express totaled one patch.
Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne needed seven total
fixes, only one of which is remotely exploitable without authorization.
The July Critical Patch Update (CPU) is the 11th such update since Oracle began the patch cycle initiative in 2004.
The patch cycle notifications continue to get more detailed. For example, in October 2006, Oracle began to detail which flaws were remotely exploitable without authentication. In this update, Oracle in adding the napply CPU (pronounced “en apply”).
In a blog post Eric Maurice, manager for security in Oracle’s global technology business unit, explained that the napply CPU is an enhanced CPU format for Oracle Database Server for Unix and Linux platforms version
10.2.0.3 and onward (including 10.2.0.4 and 11g).
“In a napply CPU, the security fixes are now grouped in what are called molecules,” Maurice wrote on the Oracle Global Product Security blog.
“Each molecule in the CPU is independent, and does not conflict with other molecules in the CPU. Conflicts between molecules occur when fixes included respectively in each molecule affect the same file or group of files. The napply CPU is for the benefit of customers who encounter merge conflicts when installing CPU patches.”
Though Maurice noted that most Oracle customers never encounter such
conflicts, the new CPU format should simplify patch conflict resolution
The July total for vulnerabilities is above the 36 flaws that Oracle fixed in its last CPU, which came out in
However, the 2007 security flaw tally is still an improvement over Oracle’s July 2006 vulnerability count, which notched 65 flaws.
One thing that is not included among Oracle’s CPU is Oracle’s enterprise
Monica Kumar, senior director of open source product marketing at Oracle, explained that the quarterly CPU and Oracle’s Linux
support program are completely separate issues. One of the reasons for this, Kumar noted, is that Linux patches need to be issued right away. According to Kumar, Oracle has released approximately 17 security fixes for Linux over the past six months.