Oracle’s 65 Flaw Update

Oracle’s July Critical Patch Update (CPU) is now out with fixes for a whopping 65 bugs.

Security firm Secunia rated the aggregate of the vulnerabilities “highly critical.”

The July patch haul is a significant increase over the 36 flaws that Oracle’s last quarterly update in April repaired. But it is fewer than the 82 flaws for January.

The July CPU, like its predecessors, covers a laundry list of Oracle software, including:

  • JD Edwards EnterpriseOne 8.x;

  • JD Edwards OneWorld 8.x;
  • Oracle Application Server 10g;

  • Oracle Collaboration Suite 10.x;

  • Oracle Database 10g;

  • Oracle Database 8.x

  • Oracle E-Business Suite 11i;

  • Oracle Enterprise Manager 10.x;

  • Oracle PeopleSoft Enterprise Tools 8.x;

  • Oracle Pharmaceutical Applications 4.x;

  • Oracle Workflow 11.x;

  • Oracle9i Application Server;

  • Oracle9i Collaboration Suite;

  • Oracle9i Database Enterprise Edition;

  • Database Standard Edition and Oracle9i Developer Suite.

    Ron Ben-Natan, CTO of database security and compliance company Guardium, commented that more than 75 percent of the vulnerabilities addressed in the July Critical Patch Update could have impact database server availability, compared with less than 30 percent of the vulnerabilities disclosed in April.

    According to Guardium’s analysis of the July CPU, Oracle Net, which is sometimes referred to as Net 8/9 or SQL*Net), RPC (remote procedure calls) and the Oracle Call Inteface (OCI) represent the greatest share of patched vulnerabilities.

    In Secunia’s analysis, some of the flaws in the July CPU could potentially be targeted for SQL injection attacks or compromise a vulnerable system. Other flaws Secunia noted as “unknown impact.”

    Guardium’s analysis paints a less ominous picture.

    “The silver lining with these vulnerabilities is that most affect only data availability and integrity, not confidentiality.” Ben-Natan said. “Still, companies need to be aggressive in updating their software, as skilled hackers can quickly compromise un-patched database servers.”

    Oracle is likely to only issue one more patch update before the end of 2006 in keeping with its current quarterly patch update cycle.

  • News Around the Web